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(54) Secure gateway and method for communication between networks 



(57) An apparatus and method for providing a se- 
cure firewall between a private network (10) and a public 
network (12) are disclosed. The apparatus is a gateway 
station (14) having an operating system that is modified 
to disable communications packet forwarding i and tur : 
ther modified to process any communications packet 
having a network encapsulation address which matches 
tha device address of the gateway station. The method 
includes enabling the gateway station to transparently 
initiate a first communications session with a client on a 
first network requesting a network service from a host 
on a second network, and a second independent com- 
munications session with the network host to which the 
client request was addressed. The data portion of com- 
munications packets from the first session are passed 
to the second session, and vice versa, by application 
level proxies which are passed the communications 
packets by the modified operating system. Data sensi- 
tivity screening is preferably performed on the data to 
ensure security. Only communications enabled by a se- 
curity administrator are permitted. The advantage is a 
transparent firewall with application level security and 
data screening capability. 
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Description 
TECHNICAL FIELD 

5 This application relates generally to internetwork communications and data exchanges and : in particular, to secure 

gateways which serve as firewalls between computer networks to inhibit electronic vandalism and espionage. 

BACKGROUND OF THE INVENTION 

io As computing power and computer memory have been miniaturized and become more affordable, computer net- 

works have largely displaced mainframe and minicomputer technology as a business automation platform. Public in- 
formation networks have also sprung up around the world. The largest and most pervasive public network is the Internet 
which was created in the late 1960s as a United States Department of National Defence project to build a network 
connecting various military sites and educational research centers. While the interconnection of private networks with 

i5 public networks such as the Internet may provide business opportunities and access to vital information, connecting 
a private, secure network to a public network is hazardous unless some form of secure gateway is installed between 
the two networks to serve as a "firewall*. 

Public networks, as their name implies, are accessible to anyone with compatible hardware and software. Conse- 
quently, public networks attract vandals as well as amateurs and professionals involved in industrial espionage. Private 

20 networks invariably store trade secret and confidential information which must be protected from exposure to unau- 
thorized examination, contamination, destruction or retrieval. Any private network connected to a public network is 
vulnerable to such hazards unless the networks are interconnected through a secure gateway which prevents unau- 
thorized access from the public network. 

A great deal ol effort has been dedicated to developing secure gateways for internetwork connection. As noted 

25 above, these gateways are commonly referred to as firewalls. The term firewall is broadly used to describe practically 
any internetwork security scheme. Firewalls are generally developed on one or more of three models: the screening 
router, the bastion host and the dual homed gateway. These models may be briefly defined as: 

Screening router - Screening routers typically have the ability to block traffic between networks or specific hosts 
on an IP port level. Screening routers can be specially configured commercial routers or host-based packet filtering 

30 applications. Screening routers are a basic component of many firewalls. Some firewalls consist exclusively ol a screen- 
ing router or a packet filter. 

Bastion host - Bastion hosts are host systems positioned between a private network and a public network which 
have particular attention paid to their security. They may run special security applications, undergo regular audits, and 
include special features such as "sucker traps" to detect and identify would-be intruders. 

35 Dual homed gateway - A dual homed gateway is a bastion host with a modified operating system in which TCP/IP 

forwarding has been disabled. Therefore, direct traffic between the private network and the public network is blocked. 
The private network can communicate with the gateway, as can the public network but the private network cannot 
communicate with the public network except via the public side of the dual homed gateway. Application level or "proxy" 
gateways are often used to enhance the functionality of dual homed gateways. Much of the protocol level software on 

40 networks operates in a store-and-forward mode. Prior art application level gateways are service-specific store-and- 
forward programs which commonly operate in user mode instead of at the protocol level. 

All ol the internetwork gateways known to date suffer from certain disadvantages which compromise their security 
or inconvenience users. Most known internetwork gateways are also potentially susceptible to intruders if improperly 
used or configured. 

45 The only firewall for many network installations is a screening router which is positioned between the private net- 

work and the public network. The screening router is designed to permit communications only through certain prede- 
signated ports. Many network services are offered on specific designated ports. Generally, screening routers are con- 
figured to permit all outbound traffic from the private network while restricting inbound traffic to those certain specific 
ports allocated lo certain network services. A principal weakness of screening routers is that the router's administrative 

so password may be compromised. If an intruder is capable of communicating directly with the router, the intruder can 
very easily open the entire private network to attack by disabling the screening algorithms. Unfortunate fy, this is ex- 
tremely difficult to detect and may go completely unnoted until serious damage has resulted. Screening routers are 
also subject to permitting vandalism by "piggybacked" protocols which permit intruders to achieve a higher level of 
access than was intended to be permitted. 

ss Packet filters are a more sophisticated type ol screening that operates on the protocol level. Packet filters are 

generally host-based applications which permit certain communications over predefined ports. Packet filters may have 
associated rule bases and operate on the principle ol "that which is not expressly permitted is prohibited". Public 
networks such as the Internet operate in TCP/IP protocol. A UNIX operating system running TCP/IP has a capacity of 
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64K communication ports. It is therefore generally considered impractical to construct and maintain a comprehensive 
rule base for a packet filter application. Besides, packet filtering is implemented using the simple Internet Protocol (IP) 
packet filtering mechanisms which are not regarded as being robust enough to permit the implementation of an ade- 
quate level of protection. The principal drawback of packet filters is that they are executed by the operating system 
5 kernel and there is a limited capacity at that level to perform screening functions. As noted above, protocols may be 
piggybacked to either bypass or fool packet filtering mechanisms and may permit skilled intruders to-access the private 
network. 

The dual homed gateway is an often used and easy to implement alternative. Since the dual homed gateway does 
not forward TCP/IP traffic, it completely blocks communication between the public and private networks. The ease of 

io use of a dual homed gateway depends upon how it is implemented. It may be implemented by giving users logins to 
the public side of the gateway host, or by providing application gateways, for specific services. If users are permitted 
to log on to the gateway, the firewall security is seriously weakened because the risk of an intrusion increases sub- 
stantially, perhaps exponentially, with each user login due to the fact that logins are a vulnerable part of any security 
system. Logins are often compromised by a number of known methods and are the usual entry path for intruders. 

is The alternative implementation of a dual homed gateway is the provision of application gateways for specific net- 

work services. Application gateways have recently gained general acceptance as a method of implementing internet- 
work firewalls. Application gateways provide protection at the application level and the Transmission Control Protocol 
(TCP) circuit layer. They therefore permit data sensitivity checking and close loopholes left in packet filters. Firewalls 
equipped with application gateways are commonly labelled application level firewalls. These firewalls operate on the 

20 principle of "that which is not expressly permitted is prohibited'. Users can only access public services for which an 
application gateway has been installed on the dual homed gateway Although application level firewalls are secure, 
the known firewalls of this type are also inefficient. The principal disadvantage of known application level firewalls is 
that they are not transparent to the user. They generally require the user to execute time-consuming extra operations 
or to use specially adapted network service programs. For example, in an open connection to the Internet, a user can 

25 Telnet directly to any host on the Internet by issuing the following command: 
Telnet target. machine 

However if the user is behind an application level firewall, the following command must be issued: 
Telnet firewall 

After the user has established a connection with the firewall, the user will optionally enter a user ID and a password 
30 if the firewall requires authentication. Subsequent to authentication, the user must request that the firewall connect to 
the final Telnet target machine. This problem is the result of the way in which the UNIX operating system handles IP 
packets. A standard TCP/IP device will only accept and attempt to process IP packets addressed to itself. Consequently, 
if a user behind an application firewall issues the command: 
Telnet target machine 

35 an IP packet will be generated by the user workstation that is encapsulated with the device address of the firewall but 
with an IP destination address of the target. machine. This packet will not be processed by the firewall station and will 
therefore be discarded because IP packet forwarding has been disabled in the application level firewall. 

Known application level firewalls also suffer from the disadvantage that to date application interfaces have been 
required for each public network service. The known application level firewalls will not support "global service" or 

40 applications using "dynamic port allocations' assigned in real time by communicating systems. 

Users on private networks having an application level firewall interface therefore frequently install "backdoors" to 
the public network in order to run services for which applications have not been installed, or to avoid the inconvenience 
ol the application gateways. These backdoors provide an unscreened, unprotected security hole in the private network 
which renders that network as vulnerable as if there were no firewall at all. 

45 

SUMMARY OF THE INVENTION 

It is an object of the invention to provide an internetwork security gateway which overcomes the known disadvan- 
tages of prior art internetwork security gateways. 
so It is a further object of the invention to provide an internetwork security gateway which provides application proxy 

flexibility, security and control while permitting users to transparently access public network services. 

It is a further object of the invention to provide an internetwork security gateway which supports any currently 
offered or future network service. 

It is yet a further object of the invention to provide an internetwork security gateway which supports applications 
55 using port numbers that are dynamically assigned in real time by the communicating systems. 

It is yet a further object of the invention to provide an internetwork security gateway which listens to all communi- 
cations ports in order to detect any attempted intrusion into a protected network, regardless of the intruder's point of 
attack. 
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In accordance with a first aspect of the invention there is disclosed a method of providing a secure gateway between 
a private network and a potentially hostile network, comprising the steps of: 

a) accepting from either network all communications packets that are encapsulated with a hardware destination 
5 address that matches the device address of the gateway: 

b) determining whether there is a process bound to a destination port number of an accepted communications 
packet; 

c) establishing a first communications session with a source address/source port of the accepted communications 
packet if there is a process bound to the destination port number, else dropping the packet; 

10 d) establishing a second communications session with a destination address/destination port number of the 

accepted communications packet if a first communications session is established; and 

e) transparently moving data associated with each subsequent communications packet between the respective 
first and second communications sessions, whereby the first session communicates with the source and the second 
session communicates with the destination using the data moved between the first and second sessions. 

15 

In accordance with a further aspect of the invention there is disclosed an apparatus for providing a secure gateway 
for data exchanges between a private network and a potentially hostile network, comprising in combination: 

a gateway station adapted for connection to a telecommunications connection with each of the private network 
20 and the potentially hostile network; 

an operating system executable by the gateway station, a kernel of the operating system having been modified 
so that the operating system: 

a) cannot forward any communications packet from the private network to the potentially hostile network or 
25 from the potentially hostile network to the private network; and 

b) will accept for processing any communications packet from either of the private network and the potentially 
hostile network provided that the packet is encapsulated with a hardware destination address that matches 
the device address of the gateway station on the respective networks; and 

30 at least one proxy process executable by the gateway station, the proxy process being adapted to transparently 

initiate a first communications session with a source of an initial data packet accepted by the operating system 
and to transparently initiate a second communications session with a destination of the packet, and to transparently 
pass a data portion of packets received by the first communications session to the second communications session 
and to pass the data portion of packets received by the second communications session to the first communications 

35 session, whereby the first session communicates with the source using data from the second session and the 

second session communicates with the destination using data received from the first session. 

The invention therefore provides a method and an apparatus which permits a private network to be securely in- 
terconnected with a public or a potentially hostile network. 

40 The method in accordance with the invention involves protecting a private network interconnected with a potentially 

hostile network whereby a gateway between the two networks transparently imitates a host when a communication 
data packet is received from a client on one of the networks by initiating a communication session with Ihe client. If 
the client is determined to have access rights to the requested service : the gateway station imitates the client to the 
host on the other network by initiating a communications session with the host. Thereafter, data is passed between 

45 the client session and the host session by a process which coordinates communications between the two distinct, 
interdependent communications sessions which proceed between the client and the gateway station and the host and 
the gateway station. 

For instance, using a gateway station in accordance with the invention as an internetwork interface, a user on the 
private network can issue the command: 
so telnet publictarget.machine 

and the command will appear to the user to be executed as if no gateway existed between the networks so long as 
the user is permitted by the rule bases maintained by the private network security administrator to access the public- 
target machine. 

In order to achieve transparency of operation, the gateway station is modified to accept for processing all IP packets 
55 encapsulated in a network operating system capsule (e.g. an ethemet capsule) having a destination address which 
matches the device address of the gateway station, regardless of the destination address of the IP packet. This mod- 
ification permits the gateway station to provide transparent service to users on either network, provided the users are 
authorized for the service. Furthermore, the gateway station in accordance with the invention runs a novel generic 
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proxy which permits it to listen to all of the 64K communications ports accommodated by the UNIX operating system 
which are not served by a dedicated proxy process. As is well known to those skilled in the art, certain internetwork 
services have been assigned specific ports for communication. Most of the designated ports on the Internet are those 
port numbers in the range of 0-1 K (1,024). Other applications and services use port numbers in the range of IK to 

$ 64K. As noted above, the gateway station in accordance with the invention "listens" to all 64K ports. The generic proxy 
process which is executed by the gateway station responds to any request for service that is not served by a dedicated 
proxy process, regardless of the destination port number to which the request for service is made. Every request for 
service may therefore be responded to. When an intruder attacks a private network, the intruder must attempt to access 
the network through the gateway station. Most firewalls listen to only a limited subset of the available communications 

io ports. An intruder can therefore probe unattended areas of the firewall without detection. The gateway station in ac- 
cordance with the invention will, however, detect a probe on any port and may be configured to set an alarm condition 
if repealed probes are attempted. The gateway station in accordance with the invention can also be configured to 
perform data sensitivity screening because all communications packets are delivered by the kernel to the application 
level where the data portion of each packet is passed from one in progress communications session to the other. Data 

i5 sensitivity screening permits the detection of sophisticated intrusion techniques such as piggybacked protocols, and 
the like. 

The apparatus in accordance with the invention is modeled on the concept of a bastion host, preferably configured 
as a dual home firewall. The apparatus in accordance with the invention may also be configured as a multiple-home 
firewall, a single-home firewall or a screened subnet. Regardless of the configuration, the apparatus preferably com- 

20 prises a UNIX station which executes a modified operating system in which IP packet forwarding is disabled. The 
apparatus in accordance with the invention will not forward any IP packet, process ICMP direct messages nor process 
any source routing packet between the potentially hostile network and the private network. Without IP packet forward- 
ing, direct communication between the potentially hostile network and the private network are disabled. This is a com- 
mon arrangement for application level firewalls. The apparatus in accordance with the invention is, however, configured 

25 to provide a transparent interface between the interconnected networks so that clients on either network can run stand- 
ard network service applications transparently without extra procedures, or modifications to accomplish communica- 
tions across the secure gateway. This maximizes user satisfaction and minimizes the risk of a client establishing a 
"back door' to a potentially hostile network. 

The methods and the apparatus in accordance with the invention therefore provide a novel communications gate- 

30 way for interconnecting private and public networks which permit users to make maximum use of public services while 
providing a tool for maintaining an impeccable level of security for the private network. 

BRIEF DESCRIPTION OF THE DRAWINGS 

35 A preferred embodiment of the invention will now be further explained by way of example only and with reference 

to the following drawings, wherein: 

FIG. 1 is a schematic diagram of a preferred configuration for an apparatus in accordance with the invention for 
providing a secure gateway for data exchanges between a private network and a potentially hostile network; 
40 FIG. 2 is a schematic diagram of an IP header, a TCP and a UDP header in accordance with standard TCP/IP 

format; 

FIG. 3 is a schematic diagram of ethernet encapsulation in accordance with RFC 894; 

FIG. 4 is a schematic diagram of a communications flow path between a gateway station in accordance with the 
invention, a client on a private network and a host on a public network; 
45 FIG. 5 is a flow diagram of a general overview of TCP routing by the kernel of a UNIX station in accordance with 

the prior art; 

FIG. 6 is a flow diagram of a general overview of TCP routing by a modified UNIX kernel in accordance with the 
invention; 

FIG. 7a is a first portion of a flow diagram of a general overview of the implementation of the invention at the 
so application level of a gateway station; and 

FIG. 7b is a second portion of the flow diagram shown in FIG. 7a. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

ss Most UNIX hosts communicate using TCP/IP protocol. The preferred embodiment of the invention is therefore 

constructed from a UNIX station having a UNIX operating system. While the preferred embodiment of the invention 
described below is explained with particular reference to the UNIX environment, it is to be well understood by those 
skilled in the art that the principles, concepts and methods described may be readily adapted to function with other 
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internetwork communication protocols in other operating environments. 

FIG. 1 shows a schematic diagram of a private network 10, considered a secure network, connected to a public 
network 12. considered a potentially hostile network, through a gateway station 14 in accordance with the invention, 
tn this configuration, the gateway station 14 is configured as a dual homed bastion host which provides a secure 
interface between the private network 10 and the public network 12. 

The private network 10 includes a multiplicity of users 1 6, commonly referred to as clients, and one or more servers 
such as the name, mail and news server 18. The public network 1 2 may be f for example, the Internet which comprises 
hundreds of thousands of interconnected machines. The connection between the private network 10 and the public 
network 12 passes through a router 20 that relays packets over a communications line 22 which may be an ISDN, 56K 
level BPS : T1 or a dial up connection depending on the private network's arrangement with a public network service 
provider All of the private network 10 on the private side of the gateway station 14 is unavailable to the public and is 
not advertised on the public network 12. The gateway station 14 does not broadcast any routes to the public network 
1 2 and the gateway router 20 should not have any static routes defined for the private network 1 0. The private network 
10 is therefore 'routing invisible" to the public network 12. The hosts in the private network 10 can use private network 
addresses as defined in RFC-1597. 

As can be seen in FIG. 1 , the gateway station has one device address for its communications connection with the 
private network 10 and another device address for its communications connection with the public network 12. The 
device address on the public side of the gateway station 14 must be advertised on the public network 12. The private 
network 10 may also include one or more public servers 24 which may be accessed directly from the public network 
12. The public servers 24 must have addresses which are registered and published on the public network 12. The 
private network 1 0 can only access the public servers 24 through the gateway station 1 4. The public server 24 is treated 
like any other server on the public network 12 when a user 16 initiates communication from the private network 10. 

The gateway station 14 is preferably a UNIX station, well known in the art. The kernel of the operating system of 
the gateway station 14 is modified to disable all IP forwarding, source routing and IP redirecting functions. It is therefore 
impossible to have communication data packets flow directly through the gateway station 14. As will be explained 
below in some detail, these functions have been replaced with processes which ensure that all communications data 
packets from the private network 10 to the public network 12, or vice versa, are properly authenticated. 

Public network communications are typically in TCP/IP format. FIG. 2 shows a schematic diagram of an IP header 
26, a TCP header 28 and a UDP (User Datagram Protocol) header 30. Each IP header includes a 32-bit source IP 
address 32 and a 32-bit destination IP address 34. Each TCP header and each UDP header include a 16-bit source 
port number 36 and a 16-bit destination port number 38. Each communication data packet therefore includes a source 
address/source port number and a destination address/destination port number, in accordance with this communica- 
tions protocol which is well known in the art. In addition to the TCP/IP communications protocol, local area networks 
often operate using ethernet network control software which handles intranetwork communications. In accordance with 
ethernet protocol, TCP/IP packets are encapsulated with an ethernet encapsulation packet to facilitate routing and 
ensure error free transmission. 

FIG. 3 shows a schematic diagram of an ethernet encapsulation packet in accordance with RFC 894. Each en- 
capsulation includes an ethernet destination address 40, an ethernet source address 42 and a check sum 44 for facil- 
itating error detection and correction. 

FIG. 4 illustrates schematicalry a typical communications session between a client station 16 on the private network 
1 0 and a public host 46 on the public network 1 2. All communications between the networks are handled by the gateway 
station 14. When a client 16 wishes to communicate with the public network 12, such as in accessing a public host 46, 
the client 16 issues a network command as if the client were not behind a firewall. For instance, client 16 may issue 
the command: 
Telnet Target. Machine 

The private network 10 is configured so that all packets directed to the public network 12 are encapsulated with the 
ethernet destination address (1 92.1 68.77. 1 ) of the gateway station 1 4. A TCP/LP packet encapsulated with the ethernet 
destination address of the gateway station 14 is therefore dispatched by the client 16. A normally configured UNIX 
device will not accept for processing TCP/IP packets which do not have an IP destination address equal to its own IP 
address. The kernel of the operating system of the gateway station 14 is modified so that the gateway station 14 will 
accept for processing any TCP/IP packet having an encapsulation destination address 40 that matches the device 
address of the gateway station 14. When the gateway station 1 4 receives the client packet containing the Telnet com- 
mand, a process is initiated on the gateway station 14 which responds to the client 16 to establish a communication 
session 17 as if it were the target machine. As will be explained below in detail, the process then authenticates the 
client's authorization to access the requested service and if the client 16 is determined to have the required authori- 
zation, the gateway station 14 initiates a second communications process 19 with the remote host 46 in which the 
gateway station 14 simulates the client 16 without revealing the client address. Once the two communication sessions 
17,19 are operative, communication is effected between the client 1 6 and the host 46 by passing communication data 



EP 0 713 311 A1 



between the two interdependent communication sessions. This is accomplished by a process that operates at the 
application level on the gateway station 14, as will be explained in detail below. The process accepts communication 
packets passed from the IP layer ol the gateway station 14 by the modified operating system kernel, extracts the data 
from the packets and passes the data to the appropriate interdependent communications session. Oata sensitivity 

s checking is preferably performed before packet data is released to the appropriate interdependent communications 
session. Data sensitivity checking can prevent protocol piggybacking and other sophisticated intrusion techniques. 
Data sensitivity checking is performed using application level algorithms, some of which are well known in the art, but 
new algorithms are still being developed. All of this processing is completely transparent to client 16 because all com- 
munications appear to be direct to host 46. Host 46 likewise cannot detect that communications with client 16 are not 

io direct 

FIG. 5 shows a general overview of the way in which a prior art UNIX operating system kernel handles data 
communication packets. In a first step 48, a data packet is received by a UNIX workstation (not illustrated). The en- 
capsulation address (typically an ethemet encapsulation destination address 40, see FIG. 3) is checked to determine 
whether it matches a device address of the station in step 50. If the addresses do not match, the packet is dropped in 

is step 52. If the addresses match, the IP destination address 34 (see FIG. 2) is examined to determine whether it matches 
an IP address of the station in step 54. If a match is found, the destination port is examined in step 56 to determine 
whether there is a process bound to a communications port indicated as the destination port by a TCP or UDP portion 
ol the packet that indicates the destination port number 36 (see FIG. 2). If no process is bound to the destination port, 
the packet is dropped in step 56. Otherwise, the-kernel starts a TCP or a UDP session with the IP source in step 59, 

20 and delivers the packet to the bound process in step 60. Thereafter, the packet is processed by the process bound to 
the destination port in step 61 , in a manner well known in the art. If the IP destination address does not match any IP 
address for the station, the kernel attempts to forward the packet in step 62 by consulting routing tables in a process 
which is also well understood by those skilled in the art. 

FIG. 6 is a flow diagram of a general overview of packet processing by a UNIX operating system kernel modified 

2S in accordance with the invention. In order to understand the process completely, it is important to understand that the 
gateway station 14 (see FIG. 1) is configured by a systems administrator using configuration programs supplied with 
the gateway station 1 4. When the gateway station 14 is initialized, a system configuration file is examined to determine 
what network services are to be supported by the gateway station 14. In order to maximize performance efficiency of 
the gateway station 14, commonly used services are supported by processes adapted to most efficiently handle com- 

30 munications for each respective service. These processes are called "proxies". On system initialization, any proxy 
given operating rights by the system administrator is said to "bind" to the port to which the proxy has been assigned. 
Thereafter, the process is said to be "bound" to the port. In accordance with the invention, the gateway station 14 is 
also supplied with a generic proxy that is assigned to port 5981 3. This port assignment is an arbitrary assignment and 
another port number may be used. When the gateway station 14 is initialized, the generic proxy binds to port 59813, 

35 provided that the systems administrator has given it operating rights to do so. 

With reference again to FIG. 6, the modified kernel receives a packet in step 64 in the same manner as an un- 
modified prior art kernel. The packet is examined to determine whether the encapsulation destination address 40 (see 
FIG. 3) equals the device address of the gateway station 14 in step 66. If no match is found, the packet is dropped in 
step 68. If the encapsulation destination address 40 equals the device address of the gateway station 14, the destination 

40 port of the TCP or UDP portion of the packet is examined to determine the destination port number 38 (see FIG. 2) 
and whether there is a process bound to that destination port in step 70. The IP destination address 34 of the packet 
is ignored while making this determination. If no proxy process is bound to the destination port of the data packet, the 
kernel checks port 5981 3 to determine whether the generic proxy process is bound to that port in step 72. If the generic 
proxy process is not bound to port 59813, the packet is dropped in step 74. If it is determined that a proxy process is 

45 bound to a port which can serve the destination port number 38 in either of steps 70 or 72, a session (TCP or UDP) is 
initiated with the packet source IP address 32 in step 76 and in step 78, the packet is delivered by the kernel to the 
proxy process designated in steps 70, 72. This critical modification of the operating system kernel permits the kernel 
within the permission boundaries imposed by a systems administrator, to "listen" to all 64K ports available for commu- 
nication. Appendix A attached hereto is a printed listing of the modified source code in the kernel. 

50 FIGs. 7a and 7b show a flow diagram of a general overview of processing at the application or proxy level of 

operations on the gateway station 14 in accordance with the invention. While this general overview shows a simple 
single user process, it will be understood by those skilled in the art that all proxies in accordance with the invention 
are multi-tasking proxies which can service a plurality of users simultaneously by creating "sockets" for multi-task 
organization in a manner well understood in the art. 

55 in step 80 of FIG. 7a, the proxy is initialized. The proxy may be any one of a number of proxies. As noted above, 

in order to maximize the performance of a gateway station 14, certain customized proxies handle certain services. In 
particular, the preferred embodiment of the invention includes at least the following customized proxies: 
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proxy - Telnet (port 23) 
proxy - FTP (port 21) 
proxy - Gopher (port 70) - 
proxy - TCP (port xxx or port 59813) 
s UDP - relay (port xxx or port 59S1 3) 



These custom proxies are adapted to most efficiently handle the services with which they are associated. Other 
custom proxies can, of course, be added to the proxy processes which are bound to ports on the gateway station 14. 
If a data packet has a destination port number 38 that is determined to point to a port to which a custom proxy process 

w is bound, the packet is passed by the kernel to that custom proxy process in step 82 where the custom proxy process 
waits for packets to arrive on the port to which it is bound, represented by 'port xxx' in the diagram. As explained above 
with relation to FIG. 6, if the destination port number 38 of a data packet does not point to a port to which a custom 
proxy process is bound, the packet is delivered by the kernel to port 5981 3. Proxy 59813 is the generic proxy process 
which is designated to handle any request for service for which a customized proxy process does not exist. Although 

is the generic proxy process is literally bound to a specific port, such as port 59813, in combination with the modified 
kernel it is operationally bound to every port to which a custom proxy process is not bound. Thus a versatile gateway 
station 14 which can handle any TCP/IP communications session is provided. 

When the packet is passed by the kernel in step 82 to a bound proxy process, the proxy process determines 
whether the source IP address 32 is permitted to communicate with the destination IP address in step 84. This is 

20 accomplished by reference to a rule base maintained by a systems administrator of the private network. Rule bases 
are well understood in the art and their structure is common general knowledge. Preferably, the rule base in accordance 
with the preferred embodiment of the invention includes a minimum of the following elements in the rule set to determine 
authorization: 



25 |p source address 

IP destination address 

Service required (Telnet, Archie, Gopher, WAIS, etc.) 

User ID 

Password 

30 

If the IP source address 32 is determined in step 84 not to be authorized for the requested service, the gateway 
station 1 4 drops the communication session in step 86. Otherwise, the proxy determines whether user level authenti- 
cation is required in step 88. User level authentication is also under the control of the systems administrator. For 
example, the systems administrator may not require any authentication of users on the private network on the theory 

35 that the private network is only accessible to secure individuals. On the other hand, the systems administrator has the 
option of requiring user level authentication lor all users or any selected user. Even if user level authentication is 
required, in accordance with the preferred embodiment of the invention a user can authenticate and enable transparent 
mode wherein authentication need not be repeated for subsequent sessions for as long as authentication is maintained, 
as will be explained below in more detail. 

40 If user level authentication is determined to be required in step 88, the proxy process authenticates the user in 

step 90. Authentication is preferabry accomplished by requiring the user to enter an identification code and a password 
in a manner well known in the art. The identification code and the password entered are verified in a user authentication 
data base (not illustrated), the structure and operation of which are also well known in the art. In step 92, the gateway 
station 14 determines whether the user has authenticated by referencing the user authentication data base. If the user 

45 is not successfully authenticated, the session is dropped in step 94. If it is determined that no authentication is required 
in step 88, or if the user successfully authenticates in step 92, the IP destination address 34 of the packet is examined 
to determine if it is an IP address of the gateway station 1 4 in step 96 (see FIG. 7b). Step 96 is preferabry only executed 
by the custom proxies for Telnet, FTP and Gopher, as will be explained below in detail. If the IP destination address 
34 of the packet corresponds to an IP address of the gateway station 14, the gateway station starts a session to permit 

so the user to enable or disable transparent mode in step 98, as will also be explained below In step 100, the proxy 
process waits for communication packets to arrive on the port "xxx", which is the port on which the communications 
session was initiated, where it is delivered by the modified kernel. When a communications packet arrives, it is proc- 
essed by the proxy process to permit the IP source to enable or disable transparent mode in step 1 01 . Thereafter, the 
proxy process determines in step 102 whether the session has ended and if not it returns to step 100 to wait for a data 

55 packet to arrive on the port. Otherwise it returns to step 80 (see FIG. 7a) to initialize for a new session. If the IP 
destination address 34 of the packet does not match an IP address of the gateway station 14, a second communication 
session is established in step 104. The second communication session is established between the gateway station 14 
and the IP destination address 34/TCP destination port number 38 indicated by the packet. The second communication 
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session established in step 104 is established exclusively by the proxy process, all operations being completely trans- 
parent to the IP source. Once the second communications session is established, the proxy process watts for data 
packets from each session in step 106. The data packets are delivered by the kernel to the proxy process which relays 
the data portion of each packet from one session to the other so that the two interdependent sessions appear to the 
s |p source and to the IP destination to be one direct session between a client source and a host destination. Data 
sensitivity checking may be accomplished by the proxy process before relaying the data from one session to the other. 
Data sensitivity checks ensure that the gateway station 14 provides a very secure interface that is, for all practical 
purposes, impossible for intruders to breach. 

Thus a completely transparent firewall is provided which permits a security administrator to exercise potent control 

io over the access to the private network. In step 108, the proxy process checks to determine whether either of the 
sessions is terminated. If either session terminates, the other session is likewise terminated and the proxy process 
returns to step BO for initialization. The custom proxy processes in accordance with the invention are public domain 
proxy processes which have been modified to cooperate with the kernel in accordance with the methods of the invention. 
Appendix B attached hereto is a printed listing of the modifications made to the public domain proxies for the Telnet 

is proxy and the FTP proxy. The principles illustrated may be applied by a person skilled in the art to any public domain 
or proprietary proxy process. 

One of the significant features of the invention is the fact that the proxy process which executes in accordance 
with the flow diagram shown in FIG. 7 may be the generic proxy process, which can handle any request for service for 
which a customized proxy process does not exist The generic proxy process in accordance with the invention is a 

20 proprietary TCP proxy. A complete source code listing of the proxy TCP is attached hereto as Appendix D. As explained 
above, in the preferred embodiment of the invention, the generic proxy process is bound to port 5981 3, but the specific 
port to which the proxy process is bound is substantially immaterial. The generic proxy process increases many fold 
the versatility of gateway station 14 and permits the gateway station to handle any communications session, including 
sessions which use port numbers dynamically allocated in real time by the communicating systems. It also provides a 

25 secure gateway which is adapted to support, without modification, new service offerings on the public network 12. If a 
new service offering becomes a popular service for which there is demand, a customized proxy can be written for that 
service. During development and testing of the customized proxy, however, the new service can be supported by the 
generic proxy process. Thus a versatile, secure internetwork gateway is provided which supports any known or future 
service available on a public network. 

30 The gateway is completely transparent to users in all instances except when a user authentication is requested. 

In that instance, users may be authorized to enter authentication requests to enable a transparent mode of operation 
wherein subsequent sessions require no further authentication, and the gateway station 14 is completely transparent 
to the user. In accordance with the preferred embodiment of the invention, transparent mode can be enabled using a 
Telnet session, an FTP session or a Gopher session. To enable transparent mode using the Telnet program, a Telnet 

35 session is started with gateway station 14 as follows: 

your-host% telnet gatewaystation.company.com 

Trying 198.53.64.2 

Connected to gatewaystation.company.com 
40 Escape character is * A ]* 

gateway station proxy-telnet ready: 

Username: You 

Password: xxxxxxx 

Login Accepted 
45 proxy-telnet> enable 

proxy-telnet> quit 

Disconnecting 

Connection closed by foreign host. 
your-host% 

so 

A user may also authenticate and enable transparent mode using the FTP program as follows: 

your-host% FTP gatewaystation.company.com 

Connected to gatewaystation.company.com 
55 220 gatewaystation proxy-FTP ready: 

Name (gatewaystation.company.com:you): You 
331 Enter authentication password for you 
Password: xxxxxxx 
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230 User authentication to proxy 
ftp > quote enable 
Transparent mode enabled 
ftp > quit 
5 your-host% 

tn the preferred embodiment of the invention, a proprietary Gopher proxy is enabled to automatically initiate trans- 
parent mode after the user has successfully authenticated to the gateway station 14 by entering a valid user identifi- 
cation and password, whenever a Gopher session is requested and user authentication is required. This user authen- 

io tication capability is a novel feature for a Gopher proxy. The proprietary source code for the novel Gopher proxy is 
appended hereto as Appendix C. 

The modes for implementing transparent mode are, of course, arbitrary and may be redesigned or reassigned to 
other programs or proxies as those skilled in the art deem appropriate. Once the transparent mode is enabled, an 
authentication directory is updated by creating a file entry for the source IP address 32. The authentication files include 

is a creation time variable which is automatically set to the system time when the file is created. This creation time variable 
is used to track the time of authentication. The files also include a last modification time variable which is automatically 
updated by the system each time the file is modified. By rewriting the authentication file each time a user initiates a 
new communications session through the gateway station 1 4 the time of last use of the gateway station can be tracked. 
This authentication directory is inspected periodically and user files are deleted from the authentication directory based 

20 on any number of predetermined criteria. In accordance with the preferred embodiment, the user file is deleted from 
the authentication directory if the user has not initiated a communications session through the gateway station for a 
period of time predefined by the systems administrator. In addition, the user file may be deleted from the authentication 
directory at a predetermined time of day defined by the system administrator. It is therefore possible to have the au- 
thentication of all users of the gateway station 14 revoked at a specified time of day, such as the end of the business 

2S day. This further fortifies the security of the gateway. 

It is apparent that a novel and particularly invulnerable gateway has been invented. The gateway is efficient as 
well as secure. It will be readily apparent to those skilled in the art that modification may be made to the preferred 
embodiment described above without departing from the scope of the invention as expressed in the appended claims. 

30 



APPENDIX A 

40 



MODIFIED UNIX KERNEL SOURCE CODE LISTING 

45 



50 
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Copyright (c) 1982, 1986, 1988, 1993 

Regents of the University of California. 



All rights reserved. 



Red .ribution and use in source and binary forms, with or without 
modification, are permitted provided that the following conditions 
are met: . _ 

1. Redistributions of source code must retain the above copyright 
notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright 
notice, this list of conditions and the following disclaimer in the 
documentation and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software 
must display the following acknowledgement: 

This product includes software developed by the University of 

California, Berkeley and its contributors. 
4 Neither the name of the University nor the names of its contributors 
may be used to endorse or promote products derived from this software 
without specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS * "AS IS * ' AND 
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO. THE 
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
LIABILITY, OR TORT < INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
SUCH DAMAGE. 

8(#)ip_input.c 7.19 (Berkeley) 5/25/91 



# include 
# include 
♦include 
♦include 
♦include 
♦include 
♦include 
♦include 
♦include 
♦include 

♦include 
♦include 



•param. h' 
■systm.h* 
"malloc.h" 
■mbuf .h" 
-domain. h* 
■protosw.h" 
•socket. h" 
■errno .h" 
• time.h" 
"kernel. h* 

. /net/if .h" 
• . . /net/route. h' 



40 



♦include •in.h" 

♦ include •in.systm.h'' 

♦ include -ip.h" 
♦include -in_pcb.h" 
♦include -in_var.h" 
♦include -ip.var. fa- 
mine lude "ip_icmp.h- 

♦if defined (MILKYWAY_BH) || defined (MILKYWAY_VPN) 

♦ include "milkyway/vpn^data ,h" 
♦define GATEWAY 

♦endif 

/* the following are in in_proto.c for easy conf ig-dependence •/ 
extern int ipf orwarding; /• act as router? •/ 

extern int ipf orward.srcrt ; /* forward src-routed packets? 
extern int ipsendredirects ; 
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iifdef GWSCREEN • 

extern void (*ip_forward_fn) P( (struct mbuf *• int)) 

•endif 

void ir forward P( (struct mbuf *, intl); 

Iifdef DEBUG 

int ipprintfs = 1; 

# endif 

extern struct domain inetdomain; 

extern struct protosw inetsw (] ; 

u_char ip_protox( IPPROTO_max) ; 

int ipqmaxlen = IFQ_MAXLEN; 

struct in_ifaddr *in_ifaddr; 



first inet address */ 



* we need to save the IP options in case a protocol wants to respond 

* to an incoming packet over the same route if the packet got here 

* using IP source routing. This allows connection establishment and 

* maintenance when the remote end is on a network that is not known 

* to us. 

*/ 

int 

static 



ip_nhops = 0; 
struct ip_srcrt { 



struct in_addr dst; 
char nop; 

char srcopt{IPOPT_OFFSBT ♦ 1) ; 



/* final destination V 
/* one NOP to align */ 
/* OPTVAI>, OLEN and OFFSET */ 



struct in_addr route (MAX_IPOPTLEN/sizeof (struct in_addr) ] ; 
> ip_srcrt; 

«ifdef GATEWAY 
extern int if_index; 
u_long "ip^ifmatrixi 
# endif 



so 



* IP initialisation: fill in IP protocol switch table. 

* All protocols not implemented in kernel go to raw IP protocol handler. 
*/ 

ip_init<> 

register struct protosw *pr; 
register int i; 

pr = pf f indproto(PF_INET, IPPROTO_RAW, SOCK_RAW) ; 
if (pr == 0) 

panic ( • ip_ini t ■ ) : 
for (i = 0; i < IPPROTO_MAX; i++) 

ip^protoxti) = pr - inetsw; 
for (pr = inetdomain. dom_protosw; 

pr < inetdomaia.dom_protoswNPROTOSW; pr++) 

if (pr->pr domain->dom_fa«iily == PF_INET && 

pr->prIprotocol &£ pr->pr_protocol != lPPROTO_RAW) 
ip_protox[pr->pr_protocol) - pr - inetsw; 
ipq.next = ipq.prev » &ipq; 
ip_id = time.tv_sec fc Oxffff; 
ipintrq. ifq„maxlen « ipqmaxlen; 
#ifdef GATEWAY , „ 

i o (if_index + 1) * (if_index + 1) * sizeof <u_long) ; 
if ( (ip_ifmatrix = (u_long *) raallocti, M_RTABLE , M_WAITOK) ) == 0> 
panic ("no memory for ip_ifmatrix* ) ; 

# endif 
> 



struct ip *ip_reass(); 
struct sockaddr_in ipaddr 



( sizeof (ipaddr) , AF_INET ); 



55 
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struct route ipf orward_rt ; 

/* , 

• *ip .-•-"out routine. Checksum and byte swap header. If fragmented 

* try j reassemble. Process options. Pass to next level. 
•/ 

ipintrO 
{ 

register struct ip *ip; 

register struct mbuf *m; . , 

register struct ipq *fp; 
register struct in„ifaddr *ia; 
int hlen, s; 
struct ifnet *ifp; 



next: 

is 



/* 

* Get next datagram off input queue and get IP header 

* in first mbuf. 
*/ 

s = splimp{ ) ; 
IF_DEQUEu"E(&ipintrq.m) ; 
splx(s) ; 
if (m == 0) 

return; 

#ifdef DIAGNOSTIC 

if { (m->m_f lags & M.PKTHDR) == 0) 
panic (" ipintr no HDR" ) ; 



#endif 



i f p=m->m_pkthdr . rcvi f ; 



* If no IP addresses have been set yet but the interfaces 

* are receiving, can't do anything with incoming packets yet. 

30 m/ 

if (in_ifaddr == NULL.) 

goto bad; 
ipstat . ips_total++ ; 

if <m->m_len < sizeof (struct ip) && 

(m = m_pullup (m, sizeof (struct ip) ) ) == 0) { 
ipstat. ips_toosmall++; 
3S goto next; 

> 

ip = mtod<m # struct ip *) ; 

if (ip->ip__v ! = IPVERSIQN) { 

/* ipstat. ips_badver++; */ 
40 goto bad; 

> 

hlen = ip->ip_hl « 2; 

if (hlen < sizeof (struct ip) ) { /* minimum header length */ 
ipstat . ips_badhlen++; 
goto bad; 

) 

if (hlen > m->m_len) ( 

if < (m = m_pullup(ra, hlen)) 0) { 
ipstat . ips_badhlen++; 
goto next; 

) 

50 ip a mtod(m, struct ip *); 

if (ip->ip_sum = in_cksum(m, hlen) ) ( 
ipstat. ips_badsum++; 
goto bad; 

55 
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) • 
/* 

* Convert fields to host representation. 
*/ 

NTOHS ( ip->ip_len) ; 

if (ip->ip_len < hi en J { 

ipstat. ips_badlen++; 

goto bad; 

> 

NTOHS ( ip->ip_id) ; 
NTOHS ( ip->ip_of f ) ; 

/ * 

* Check that the amount of data in the buffers 

* is as at least much as the IP header would have us expect. 
» Trim mbufs if longer than we expect. 

* Drop packet if shorter than we expect. 
*/ 

if <m->m_pkthdr.len < ip->ip_len) { 
ipstat . ips — tooshortf + ; 
goto bad; 

if (m->m_pkthdr . len > ip->ip_len> ( 

if (m->m_len == m->m_pkthdr.len) { 
m->m_len = ip-> ip_len; 
m->m - pkthdr.len = ip->ip_len; 

} else 

m_adj (m, ip->ip_len - m->m_pkthdr. len) ; 

> 

* Process options and, if not destined for us, 

* ship it on. ip_ dooptions returns 1 when an 

* error was detected (causing an icmp message 

* to be sent and the original packet to be freed) . 
*/ 

ip_nhops =0; /* for source routed packets V 

if (hlen > sizeof (struct ip) ip_dooptions (m) > 
goto next; 

/* 

* Check our list of addresses, to see if the packet is for us. 
V 

for (ia = in_ifaddr; ia; ia « ia->ia_next) ( 
#define satosin(sa) ((struct sockaddr.in •)(sa)) 

if (IA_SIN(ia) ->sin_addr .s_addr == ip->ip_dst.s_addr> 
goto ours; 

if ( 

iifdef D I RECTED_BROADC AS T " 
ia->ia_ifp == m->n\_pkthdr . rcvif && 

#€ndlf (ia->ia_ifp->if_flags & iff_broadcast) ) { 

u_long t; 

if (satosln(tia->ia_broadaddr) ->sin_addr .s_addr =* 
ip- >ip_ds t . s_addr ) 

goto beast; ^ , 

if (ip->ip_dst.s_addr == ia->ia_netbroadcast . s_addr) 

goto beast; 

/* 

* Look for all-0's host part (old broadcast addr) , 

* either for subnet or net. 
*/ 

t = ntohl <ip->ip_dst.s_addr) ; 
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if (t == ia->ia_subnet) 

goto beast; 
if (t ia->ia_net) 

goto beast; 

5 ) 
) 

tifdef MULTICAST 

if (IN_MULTICAST(ntohl (ip->ip_dst.s_addr) ) ) { 
struct in_multi *imn; 
/* #ifdef MROUTING */ 
io extern struct socket *ip_nirouter; 

if (ip__ mrouter) ( 
/* 

* If we are acting as a multicast router, all 

* incoming multicast packets are passed to the 

* kernel-level multicast forwarding function. 

15 * The packet is returned (relatively) - intact; if 

* ip_tnf orward ( ) returns a non-zero value, the packet 

* must be discarded, else it may be accepted below. 
* 

* (The IP ident field is put in the same byte order 

* as expected when ip__mf orward ( ) is called from 
20 * ip_output ( ) . ) 

*/ 

ip->ip_id c htons (ip->ip_id) ; 

if (ip_mforward<ip. m->m_pkthdr . rcvif , m) != 0) < 
m_f reem(m) ; 
goto next; 

2S > 

ip->ip_id = ntohs lip->ip_id) ; 
/* 

* The process- level routing daemon needs to receive 

* all multicast IGMP packets, whether or not this 

* host belongs to their destination groups. 

30 #/ 

if (ip->ip_P == IPPROTO_IGMP) 
goto ours; 



/* tendif •/ 



3S * see if we belong to the destination multicast group on the 

* arrival interface. 
*/ 

IN LOOKUP_MULTI ( ip->ip_ds t # m->m_pkthdr . rcvi f , inm) ; 
if"<inm == NULL) ( 
m_f reem (m> ; 
40 ^ goto next; 

goto ours; 

) 

if (ip->ip_dst.s_addr == <u_long) INADDR_B ROADCAST ) 
goto beast; 

4S if tip->ip_dst.s_addr == INADDR_ANY) 

goto ours; /* beast? */ 

#if defined (MILXYWAY_BH) 
/• mcr - 94/10/11 

Do not forward and simply give the packet to the upper layer 
50 Just to see how it goes 

*/ 

•if defined (MILKYWAY_VPN) 

/* but we need to be a bit smarter for VPN */ 
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i f Cvpn_f orward (m) ) { 

goto next; 
) else ( 

goto ours; 



tfendif 
#else 



fifdef 
telse 
fendif 
*endi£ 
beast : 



* Not for us; forward if possible and desirable. 
V 

if (ipforwarding ==0) { 

ipstat . ips_cantforward++; 
m_£reem(m) ; 

) else 
GWSCREEN 

( *ip_forward_f n) (m, 0) ,* 
ip_f orward (m, 0); 

goto next; 
/* MILKYWAY_BH */ 

/* set the BCAST bit on packets destined to an IP broadcast address 
ra->ro_ flags | = M_BCAST; 



* If offset or IP_MF are set, must reassemble. 

* otherwise, nothing need be done. 

* (We could look in the reassembly <jueue to see 

* if the packet was previously fragmented, 

* but it's not worth the time; just let them time out.) 
V 

if <ip->ip_off &- IP_DF) { 

if <m->m_flags & M_EXT) ( /* XXX */ 

if ( (m = m_pullup<m, sizeof (struct ip) ) ) 
ipstat. ips_toosma 11++; 
goto next; 

ip = mtod<m, struct ip *); 



0) { 



*/ 

for 



found: 



fp 



Look for Queue of fragments 
of this datagram. 

(fp - ipq.next; fp ! = &ipq; fp = fp->next) 
if (ip->ip_id == fp->ipq_id && 

ip->ip_src . s_addr == fp->ipq_src . s_addr && 
ip->ip_dst . s_addr == fp->ip<JL_dst . s_addr 
ip->ip_p »« fp->ipq__p) 
goto found; 



f - 

* Adjust ip_len to not reflect header, 

* set ip_mff if more fragments are expected, 

* convert offset of this to bytes. 
*/ 

ip->ip_len -e hlen; 

((struct ipasfrag * ) ip) ->ipf_mf f = 0; 
if <ip->ip_off & IP_MF) 

((struct ipasfrag * ) ip) ->ipf_mf f - 1; 
ip->ip_ofC <<= 3; 
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) else 
/ 



/* 

♦ If datagram marked as having more fragments 

• or if this is not the first fragment, 

* attempt reassembly; if it succeeds, proceed. 
♦/ 

if {((struct ipasfrag * ) ip) ->ipf_mf f || ip->ip_off) 
ipstat. ips_fragments++; 

ip = ip_reass < (struct ipasfrag *)ip. fp) ; 
if (ip « 0) 

goto next; 

else 

ipstat. ips_reasserabled++; 
m = dtom(ip) ; 

) else 

if (fp) 

ip_freef (fp) ; 
ip->ip_ len -= hlen; 



bad: 



) 



* Switch out to protocol's input routine. 
*/ 

ipstat. ips_delivered++; 

(*inetsv[ip_protox[ip->ip_pJ ] .pr_input) (m, hlen) ; 
goto next; 

m_f reem (m) ; 
goto next; 



/* 

* Take incoming datagram fragment and try to 

* reassemble it into whole datagram. If a chain for 

* reassembly of this datagram already exists, then it 

* is given as fp; otherwise have to make a chain. 
*/ 

struct ip * 
ip_reass(ip, fp) 

register struct ipasfrag *ip; 
register struct ipq *fp; 



< 



register struct mbuf *m = dtom(ip); 

register struct ipasfrag *q; 

struct mbuf *t; 

int hlen « ip->ip_hl « 2; 

int i, next; 

/* 

* Presence of header sizes in cnbufs 

* would confuse code below. 
•/ 

m->m_data += hlen; 
m->m_len -= hlen; 

/* 

* If first fragment to arrive, create a reassembly queue. 
*/ 

if (fp -- f 0, ((t _ m _get <M_DONTWAIT, MT_FTABLE) ) == NULL) 
goto drop frag; 
fp = mtod(t, struct ipq *); 
insque(fp, &ipq) ; 
fp->ipq_ttl = IPFRAGTTL; 
fp->ipq_p = ip->ip_p; 
fp->ipq_id = ip->ip_id; 
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) { 



insert: 



45 



fp->ipqLjriext = fp->i D Q orev = (struct ipasfrag Mfp; 
fp->ipq_src = ((struct ip *) ip) ->ip_src; 
fp->ipq_dst = ((struct ip *) ip) ->lp_dst; 
q = (struct ipasfrag *)fp; 
goto insert; 

) 

/* 

* Find a segment which begins after this one does. 
*/ 

for <q = fp->ipq_next; q I (struct ipasfrag Mfp; q = q->ipf_next) 
if (q->ip_off > ip->ip_off) 
break ; 

/* 

* If there is a preceding segment, it may provide some of 

* our data already. If so, drop the data from the incoming 

* segment. If it provides all of our data, drop us. 
♦/ 

if (q->ipf_prev != (struct ipasfrag *)fp) ( 

i = q->ipf_prev->ip_of f ♦ q->ipf_prev->ip_len - ip->ip_off; 
if (i > 0) ( 

if (i >= ip->ip_len) 

goto dropfrag; 
m_ad j ( dtom ( ip ) , i ) ; 
ip->ip_off += i; 
ip->ip_len -= i; 

> 

> 

/* 

* While we overlap succeeding segments trim them or, 

* if they are completely covered, dequeue them. 
*/ 

while (q != (struct ipasfrag *) fp i& ip->ip_off + ip->ip_len > q->ip_off 

i = (ip->ip_off + ip->ip_len> - q->ip_off; 
if (i < q->ip_len) ( 

q->ip_len - = i; 

q->ip_off +■ i; 

nuadj (dtom(q) , i) ; 

break; 

) 

q = q->ipf_next; 
m_freem(dtom(q->ipf_prev) ) ; 
ip_deq(q->ipf_prev) ; 

) 

/* 

* Stick new segment in its place; 

* check for complete reassembly. 
V 

ip_enq(ip, q->ipf_prev) ; 

next =0; . _ , , 

for (q = fp->ipq_next; q != (struct ipasfrag *)fp; q = q->ipf_next> ( 

if (q->ip_off != next) 
return (0); 

next += q->ip_len; 

) 

if (q->ipf_prev->ipf_mf f ) 
return (0); 

/* 

* Reassembly is complete; concatenate fragments. 
•/ 
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q = fp->ipq_next; 
m = dtom(q) ; 
"t = m->m_next; 
«n->m_next ~ 0; 

_cat{m, t) ; 
q = q->ipf_next; 

while (q !- (struct ipasfrag *)fp) { 
t = dtom(q) ; 
q = q->ipf_next; 
m_cat (m, t) ; 

/* 

* Create header for new ip packet by 

* modifying header of first packet; 

* dequeue and discard fragment reassembly header. 

* Make header visible. 
*/ 

ip = fp-> ipq_next ; 
ip->ip_len = next; 

((struct ip *) ip) ->ip_src = fp->ipq_src; 
((struct ip *) ip) ->ip_dst * fp->ipq_dst; 
remque ( fp) ; 

(void) m_f ree (dtom(fp) ) ? 
m = dtom( ip) ; 

m->m_len +» (ip->ip_hl « 2); 
m->m_data -= (ip->ip_hl « 2); 

/* some debugging cruft by sklower, below, will go away soon */ 
if (m->m_flags & M_PKTHDR) { /• XXX this should be done elsewhere 

register int plen =0/ 

for (t = m; m; m = m->m_next) 
plen +» m-xr^len; 

t->m_pkthdr.len = plen; 

) 

return ((struct ip *) ip) ; 

dropfrag: 

ipstat. ips_f ragdropped++; 
m_freem(m) ; 
return (0); 

) 

/* 

* Free a fragment reassembly header and all 

* associated datagrams. 
*/ 

ip_freef (fp) 

struct ipq *fp; 

register struct ipasfrag *q, *p; 

for (q = fp->ipq_next ; q != (struct ipasfrag *)fp; q = p) { 
p - q->ipf_nextj 
ip_deq(q) ; 
nufreem(dtom(q) ) ; 

> 

r emque ( f p ) ; 

(void) m_free(dtora(fp) ) ; 

) 

/• . 

* Put an ip fragment on a reassembly chain. 

* Like insque, but pointers in middle of structure. 
•/ 

ip_enq(p, prev) 

register struct ipasfrag *p. *prev; 
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"p->ipf__prev = prev; 
o->ipf_ next ~ prev->ipf .next; 
jrev->ipf_next->ipf_prev = p; 
prev->ipf_next = p; 



• To ip_enq as remque is to insque. 
•/ 

p_deq(p) 

register struct ipasfrag *p; 



p->ipf__prev->ipf_next = p->ipf_ next; 
p->ipf_next->ipf_prev = p->ipf _prev; 



* IP timer processing; 

* if a timer expires on a reassembly 

* queue, discard it. 
*/ 

ip_slowtimo () 
{ 

register struct ipq *fp; 
int s = spinet ( ) ; 

fp = ipq. next; 
if (fp == 0) { 

splx(s) ; 

return; 

) 

while Cfp ! = &ipq) { 

— fp->ipq_ttl; 
fp = fp->next; 

if <fp->prev->ipq_ttl ==0) { 

ipstat . ips_f ragtimeout++; 
ip_freef (fp->prev) ; 

) 

> 

splx(s) ; 



/* 

* Drain off all datagram fragments. 
*/ 

ip_drain ( ) 
{ 

while (ipq. next != &ipq) ( 

ipstat. ips_.fr agdropped+ + ; 
ip_f reef ( ipq . next ) ; 

> 

) 

extern struct in_ifaddr *ifptoiaO; 
struct in.ifaddr *ip_rtaddrO; 

/* 

* Do option processing on a datagram, 

* possibly discarding it if bad options are encountered, 

* or forwarding it if source-routed. 

* Returns 1 if packet has been forwarded/ freed, 

* 0 if the packet should be processed further. 
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*/ 

ip_doop tions (m) 

struct mbuf *n»; 

•egister struct ip *ip = mtod(m, struct ip *); 
register u_char *cp; 
register struct ip_timestamp *ipt; 
register struct in_ifaddr *ia; 

int opt, optlen, cnt, off, code, type = ICMP_PARAMPROB, forward = 0 
struct in_addr *sin; 
n_time ncime; 



cp = (u_char *) (ip + 1); 

cnt « (ip->ip_hl « 2) - sizeof (struct ip) ; 
for (; cnt > 0; cnt -= optlen. cp += optlen) 
opt = cp ( IPOPT_OPTVAL ) ; 
if (opt == IPOPT_EOL) 

break; 
if (opt == IP0PT_N0P) 
optlen = 1; 



else { 



) 

switch (opt) { 



optlen * cp[IP0PT_0LEN] ; 

if (optlen o 0 || optlen > cnt) < 

code = &cp[lPOPT_OLEN] - (u_char *)ip; 

goto bad; 

> 



default: 

break; 



/* 

* Source routing with record. 

* Find interface with current destination address. 

* If none on this machine then drop if strictly routed, 

* or do nothing if loosely routed. 

* Record interface address and bring up next address 

* component. If strictly routed make sure next 

* address is on directly accessible net. 
*/ 

case IP0PT_LSRR: 
case IPOPT_SSRR: 



#ifdef MILKYWAY_BH 

/* Hung Vu Oct 28. 1994 

We simply do not understand source routing 
just return ICMP_UNREACH and SRC FAIL 

*/ 



•end if 



type = ICMP_UNREACH; 
code = ICMP__UNREACH_SRCFAIL; 
goto bad; 

if ((Off = cp[IPOPT_OFFSET)) < IPOPT_MIN0FF) ( 

code = &cp[IP0PT_0FFSET) - <u_char *)ip; 
goto bad; 

> 

ipaddr.sin_addr = ip->ip__dst; 
ia = (struct in_ifaddr *) 

ifa_ifwithaddr( (struct sockaddr *)&ipaddr) 
if (ia =* 0) { 

if (opt « IPOPT_SSRR) ( 

type = ICKP.UNREACH; 

code = ICMP_UNREACH_SRCFAIL; 

goto bad; 
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) 

/* 

* Loose routing, and not at next destination 

* yet; nothing to do except forward. 
V 

break; 

) 

off--; /* 0 origin "/ 

if (off > optlen - sizeof (struct in_addr)) ( 
/* 

* End of source route. Shoul'd be for us. 
*/ 

save_rte(cp, ip->ip_src) ; 
break; 

) 

/* 

* locate outgoing interface 
*/ 

bcopy( (caddr_t) Icp + off), <caddr_t) tipaddr . sin_addr , 

s izeof ( ipaddr . sin_addr) ) ; 
if (opt — IPOPT_SSRR) ( 
ffdefine INA struct in_ifaddr * 

•define SA struct sockaddr * 

if <<ia = { INA) if a_ifwi thdstaddr ( (SA) & ipaddr ) ) == C 
ia = in_i aonne to f (in_netof (ipaddr. sin_addr) J ; 

) else 

ia = ip_rtaddr (ipaddr. sin_addr) ; 
if (ia » 0) ( 

type = ICMP_UNREACH; 

code = ICMP_UNREACH_SRCFAIL; 

goto bad; 

> 

ip->ip_dst - ipaddr ,sin_addr ; 

bcopy( (caddr_t)t(IA_SIN(ia)->sin_addr) , 

(caddr_t) (cp + off), sizeof (struct ii^addr)); 
cp[IPOPT_OFFSBT] ♦= sizeof (struct in_addr) ; 
forward = 1; 
break ; 

case IPOFT_RR: 

if ((Off = Cp(IPOPT_OFFSET) ) < IPOPT_MINOFF) ( 

code ■ &cp(IPOPT_OFFSET] - (u_char *)ip; 
goto bad; 

) 

/* 

* If no space remains, ignore. 
■/ 

off — ; /* 0 origin */ 

if (off > optlen - sizeof (struct in_addr) ) 
break; 

bcopy ( ( caddr_t ) ( £ ip -> ip_ds t ) , ( caddr_ t ) & ipaddr . s i n_ a ddi 
sizeof (ipaddr. sin_addr) ) ; 

/♦ 

* locate outgoing interface; if we're the destination, 

* use the incoming interface (should be same) . 
*/ 

if ((ia = ( INA) i£a_if withaddr ( (SA) & ipaddr) ) == 0 && 
(ia = ip_rtaddr (ipaddr. sin_addr) ) ==0) { 
type ■ ICMP_UNREACH; 
code = ICMP_UNREACH_HOST; 
goto bad; 

> 

bcopy ( (caddr t) & ( IA_SIN ( ia) ->sin_addr ) , 

(caddr_t) (cp + off), sizeof (struct in_addr) ) ; 
cp{IPOPT_OFFSET] += sizeof (struct in_addr) ; 
break; 
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case I POPT_TS : 

code = cp - (u_char *)ip; 
ipt = (struct ip_time stamp Mcp; 
if (ipt->ipt_len < 5) 
5 goto bad; 

if (ipt->ipt_ptr > ipt->ipt_len - sizeof (long)) { 
if (++ipt->ipt_of lw == 0) 
goto bad; 

break ; 

) 

jo sin = (struct in_addr *) (cp ♦ ipt->ipt_ptr - 1); 

switch (ipt->ipt_f lg) { 

case I P0PT_TS_TS0NLY : 
break; 

I5 case IPOPT_TS_TSANDADDR : 

if (ipt->ipt_ptr ♦ sizeof (n_time) + 

sizeof (struct in_addr) > ipt->ipt_len) 
goto bad; 
ia = ifptoia (ra->rtL_pkthdr.rcvif ) ; 
bcopy t (caddr_ t) 6IA_SIN(ia) ->sin_ addr . 

(caddr_t) sin. sizeof (struct in_addr) ) ; 
20 ipt->ipt_ ptr ♦= sizeof (struct in_ addr) ; 

break; 

case IPOPT_TS_PRESPEC: 

if (xpt->ipt_ptr + sizeof (n_time) + 

sizeof (struct in_addr) > ipt->ipt_len) 
25 goto bad; 

bcopy ( (caddr_t) sin, (caddr_t)&ipaddr .sin_addr, 

sizeof (struct in_addr) ) ; 
if (ifa_ifwithaddr< (SA)&ipaddr) == 0) 
continue; 

ipt->ipt_ptr += sizeof (struct in_addr) ; 
30 break; 

default : 

goto bad; 

) 

ntitne » iptimeO; 

3S bcopy ( (caddr_t) &n time, (caddr_t)cp ♦ ipt->ipt_ptr - 1, 

sizeof (n_time) ) ; 
ipt->ipt_ptr +* sizeof (n_time) ; 

) 

> 

if (forward) { 

if (ipf orward_srcrt ==0) { 
40 type = ICMP_UNREACH; 

code = ICMP_UNREACH_SRCFAIL; 
goto bad; 

) 

ip_forward(m, 1); 
return (1) ; 

> else 

return (0); 

bad: 

icmp_error (m, type, code) ; 
return (1); 

) 



so 



/* 

* Given address of next destination (final or next hop) , 

* return internet address info of interface to be used to get there. 
*/ 
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struct in_ ifaddr. * 
ip_rtaddr (dst) 

~" ' struct in_addr dst; 



{ 



) 



egister struct sockaddr_in *sin; 
sin = (struct soc)caddr_in *) fcipf orward_rt .ro_dst; 

if (ipforward_rt.ro.rt == 0 | | dst.s_addr != sin->sin__addr . s.addr) { 
if (ipforward_rt. ro_rt) { 

RTFR£E(ipforward_rt.ro_rt » ; 
ipf orward_rt -ro_rt - 0; 

> 

sLn->sin_faraily = AP_INET; 
sin->sin_len = sizeof (*sin) ; 
sin->sin_addr « dst; 

rtalloc (&ipforward_rt) ; 

if (ipf orward_rt.ro_rt == 0) 

return ((struct in_ifaddr *)0); 
return ((struct in_ifaddr *) ipf orwardLrt ,ro_rt->rt_if a) ; 



#endif 



/* 

* Save incoming source route for use in replies, 

* to be picked up later by ip_srcroute if the receiver is interested. 
*/ 

save_rte( option, dst) 

u_char *option; 
struct in_addr dst; 

unsigned olen? 

olen = option t IP0PT_0LEK] ; 
tfifdef DEBUG 

if (ipprintfs) 

printf ( "save_rte: olen %d\n", olen); 

if (olen > sizeof (ip_srcrt) - (1 ♦ sizeof (dst) ) ) 
return ; 

bcopy((caddr tjoption, (caddr_t) ip_srcrt. srcopt . olen) ; 
ip_nhops • (olen - IP0PT_0FFSET - 1) / sizeof (struct in_addr) ; 
ip_srcrt.dst = dst; 

) 

/* 

* Retrieve incoming source route for use in replies, 

* in the same form used by setsockopt. 

* The first hop is placed before the options, will be removed later. 

*/ 4 
struct mbuf * 
ip_srcroute() 

register struct in_addr *p. *q; 
register struct mbuf *m; 

if (ip.nhops == 0) 

return ((struct mbuf *)0); 
m = m_get(M_DONTWAIT, MT_SOOPTS) ; 
if (m == 0) 

return ((struct mbuf *)0); 

fdefine OPTSIZ (sizeof (ip_srcrt .nop) + sizeof ( ip_srcrt. srcopt) ) 

/* length is (nhops+1) *sizeof (addr) ♦ sizeof (nop ♦ srcrt header) */ 
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m->m_len = ip_nhops * sizeof < struct in_addr> + sizeof (struct in_addr) ♦ 
OPTSIZ; 

#ifdef DEBUG 

if (ipprintfs) , , . 

printf ( "ip_srcroute: nhops %d rolen %d" . ip_nhops, m->m.len) ; 

#endif 

/* 

* First save first hop for return route 
10 * / 

p = &ip_srcrt. route (ip_nhops -1); ' 
Mmtod<m, struct in_addr *) ) * *p--; 
iifdef DEBUG 

if (ipprintfs) . 

printf (* hops %lx", ntohl (intod(m, struct in_addr * ) ->s_addr ) ) ; 

is tendif 

/* 

* Copy option fields and padding (nop) to mbuf . 
*/ 

ip_srcrt.nop = IPOPT_NOP; 
20 ip_srcr t . srcopt [ IPOPT_0FFSET] = IPOPT_MIN0FF; 

bcopyt (caddr_t)&ip_srcrt.nop, ^™^„v 

mtod(m. caddr_t) + sizeof (struct in_addr) , OPTSIZ) ; 
q = (struct in_addr • ) (mtod (ra, caddr_t) + 
sizeof (struct in_addr) ♦ OPTSIZ); 
#undef OPTSIZ 
/* 

25 * Record return path as an IP source route, 

* reversing the path (pointers are now aligned) . 
*/ 

while {p ip_srcrt. route) < 
#ifdef DEBUG 

if (ipprintfs) 

30 printf ( - %lx- , ntohl (<j->s_addr ) ) ; 

fendif 

*<3++ = *p — ; 

> 

/* 

* Last hop goes to final destination. 

35 •/ 

*Q = ip_srcrt*dst; 
#ifdef DEBUG 

if (ipprintfs) jj 

printf ( ■ %lx\n" , ntohl (q->s_addr) ) ; 

#endif 

40 return (m) ; 

/* 

• Strip out IP options, at higher 

• level protocol in the kernel . 

* Second argument is buffer to which options 

45 * will be moved, and return value is their length. 

* XXX should be deleted; last arg currently ignored. 
*/ 

ip_stripoptions (m, mopt) 

register struct mbuf •in- 
struct mbuf *mopt; 

50 ( 

register int i; 

struct ip *ip = mtod(m, struct ip *) ; 
register caddr_t opts; 
int olen; 

55 olen = (ip->ip_hl«2) - sizeof (struct ip) ; 
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opts = (caddr_t)(ip ♦ 1); 

i = rn->m_len - (sizeof (struct ip) ♦ olen) ; 
bcopy(opts + olen, opts, {unsigned) i) ; 
m->n\_len -= olen; 
: f (m->m_f lags & M__PKTHDR) 

m->m_pkthdr . len - = olen; 
ip->ip_ hi = sizeof (struct ip) » 2; 



> 



u_char inetctlerrrnapf PRC_NCMDS] = ( 

0, 0, o . 0, 

0, EMSGSIZE, EHOSTDOWN , EHOSTUNREACH , 

EHOSTUNREACH , EHOSTUNREACH, ECONNREFUSED , ECONNREFUSED. 

EMSGSIZE, EHOSTUNREACH, 0, 0. 

0, 0, 0, o. 

ENOPROTOOPT 

>; 

Forward a packet. If some error occurs return the sender 

* an icmp packet. Note we can't always generate a meaningful 

* icmp message because icmp doesn't have a large enough repertoire 

* of codes and types. 
• 

* If not forwarding, just drop the packet. This could be confusing 

* if ipforwarding was zero but some routing protocol was advancing 

* us as a gateway to somewhere. However, we must let the routing 

* protocol deal with that. 

* The srcrt parameter indicates whether the packet is being forwarded 

* via a source route. 
*/ 

void 

ip_forward(m, srcrt) 

struct mbuf *m; 
int srcrt; 

register struct ip *ip = mtod(m, struct ip *) ; 

register struct sockaddr_in *sin; 

register struct rtentry *rt; 

int error, type « 0, code; 

struct mbuf *mcopy; 

struct in_addr dest; 

des t . s_addr = 0 ; 
#ifdef DEBUG 

if (ipprintfs) 

pr int f ("forward: src %x dst %x ttl %x\n" , ip->ip_src, 
ip->ip_dst, ip->ip_ttl); 



tendif 



if (m->m_flags & M_BCAST || in_canf orward(ip->ip_dst) == 0) { 
ipstat . ips_cantf orward++; 
m_freem(m) ; 
return; 

) 

HTONS(ip->ip_id) ; 

if (ip->ip_ttl <= IPTTLDEC) { 

icmp_error (m, ICMP_timxceed, ICMF_TIMXCEED_INTRANS, desc) 

return; 

} 

ip->ip_ ttl -= IPTTLDEC; 

sin = (struct sockaddr_in * )&ipforward_rt . ro_dst; 
if ((rt * ipforward_rt.ro_rt) == 0 | | 

ip->ip_dst. s_addr != sin->sin_addr. s_addr) { 
if (ipf orward_rt.ro_rt) ( 
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RTF REE < ipf orward__rt . r o_rc ) ; 
ipforward_rt . ro_rt = 0; 

) 

sin->sin_family = AF__INET; 
sin->sin_len = sizeof < *sin) ; 
sin->sin_addr = ip->ip_dst; 



rtalloc (&ipforward_rt) ; 

if (ipforward_rt.ro_rt == 0) { 

icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST , dest) ; 

return; 

) 

rt = ipforward__rt .ro_rt; 



/* 

■ Save at most 64 bytes of the packet m case 

* we need to generate an ICMP message to the src . 
*/ 

mcopy = m_copy(m f 0, iroin ( (int) ip->ip_len, 64)); 

#ifdef GATEWAY 

ip_ifmatrix[rt->rt_ifp->if_index + 

if_index * m->nv_pkthdr . rcvif-> if .index ) «■♦; 

# end if 

/* 

* If forwarding packet using same interface that it came in on, 

* perhaps should send a redirect to sender to shortcut a hop. 

* Only send redirect if source is sending directly to us, 

* and if packet was not source routed (or has any options) . 

* Also, don't send redirect if forwarding using a default route 

* or a route modified by a redirect. 
*/ 

#define satosin(sa) ((struct sockaddr_in *)<sa») 

if <rt->rt_ifp == m->m_pkthdr .rcvif && 

(rt->rt_f lags & <rtf_dynamic| rtf_modified) ) 0 && 
satosin(rt_key(rt> ) ->sin_addr.s_addr != 0 && 
ipsendredirects && ! srcrt) < 
struct in_ if addr *ia; 

u_long src = ntohl ( ip->ip_src .s_addr ) ; 
u_long dst = ntohl (ip->ip_dst .s_addr) ; 

if {(ia = ifptoia(m->m_pkthdr .rcvif ) ) && 

(src & ia->ia_subnetmask) == ia->ia_subnet) { 
if <rt->rt_flags & RTF_GATEWAY) 

dest = satosin(rt->rt_gateway) ->sin_addr; 

else 

dest * ip->ip_dst; 

/* 

* If the destination is reached by a route to host. 

* is on a subnet of a local net, or is directly 

* on the attached net (!), use host redirect. 

* (We may be the correct first hop for other subnets.) 
*/ 

•define RTA(rt) ((struct in_ifaddr *) (rt->rt_if a) ) 
type o ICMP_REDIRECT; 
if < (rt->rt_flags & RTF.HOST) || 

(rt->rt flags & RTF_GATEWAY) ==0) 
code « ICMP_REDIRECT_HOST; 
else if (RTA(rt) ->ia_subnetmask != RTA(rt) ->ia — netmask && 
(dst & RTA(rt) ->ia_netmask) =- RTA(rt) ->ia_net) 
code = ICMP_REDIRECT_HOST; 

else 

code = ICMP_REDIRECT_NET; 

iifdef DEBUG 

if (ipprintfs) 
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35 



printf ('redirect (%d) to %x\n*. code, dest . s_addr) ; 

fiend if 

) 

t 

#i£def D I RECTED_B ROADCAST 

error = ip_ output(m f (struct mbuf *)0, &ipf orwar4_rt. 
I P_ FORWARDING | I P_ALL0WB ROADCAST ) ; 



#else 
iendif 



error = ip_output (ra, (struct mbuf *)0, &ipforvard_rt, IP.FORWARDING) 

if (error) 

ipstat. ips_cantforward++; 

else ( 

ipstat- ips_£orvard++; 
if (type) 

c ipstat. ips_redirectsent++ ; 

15 else ( 

if (mcopy) 

m_f reem(mcopy) ; 

return; 

) 

20 if (mcopy == NULL) 

returns- 
switch (error) { 

case 0: /* forwarded, but need redirect */ 

/* type, code set above •/ 
25 break; 

case ENETUNREACH: /• shouldn't happen, checked above * 

case EHOSTUNREACH : 
case ENETDOWN: 
case EHOSTDOWN: 
30 default: 

type = ICMP_UNREACH ; 
code = ICMP_UNREACH_HOST; 
break ; 



case EMSGSI2E: 

type = ICMP_UNREACH; 
code = ICMP_UNREACH_NEEDFRAG; 
ipstat. ips_cantf rag++; 
break ; 

case ENOBUPS: 

type = ICMP_SOURCEQUENCH; 

code = 0; 

break; 

icmp_error (mcopy, type, code, dest) ; 



so 
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BSni Sid: in_pcb.c,v 1.1.1.1.4.1 1994/11/16 15:11:14 mcr Exp $ */ 



copy 

All 



*ght (c) 1982, 1986, 
.ghts reserved. 



1991 Regents of the University of California. 



Redistribution and use in source and binary forms, with or without 
modif ication, are permitted provided that the following conditions 
are met: 

1. Redistributions of source code must retain the above copyright 
notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright 
notice, this list of conditions and the following disclaimer in the 
documentation and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software 
must display the following acknowledgement: 

This product includes software developed by the University of 
California, Berkeley and its contributors. 

4. Neither the name of the University nor the names of its contributors 
may be used to endorse or promote products derived from this software 
without specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS' ' AND 
ANY EXPRESS OR IMPLIED WARRANTIES , INCLUDING, BUT NOT LIMITED TO, THE 
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
ARE DISCLAIMED. IN NO EVENT SHALL THE REGQJTS OR CONTRIBUTORS BE LIABLE 
FOR ANY DIRECT* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
OR SERVICES; LOSS OF USE. DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
SUCH DAMAGE. 



8 ( # ) in_pcb . c 



7.14 (Berkeley) 4/20/91 



•include 
# include 
♦include 
•include 
•include 
•include 
•include 
•include 
•include 



"param.h" 
"systm.h* 
•malloch" 
■mbuf .h" 
"proe. h" 
"protosw. h" 
•socket .h" 
•socketvar . 
•ioctl.h- 



•include 
•include " . 



•include 
•include 
•include 
•include 
•include 
•include 



./net/if . h- 
. /net /route. h" 



-in.h- 

"in_ Systran" 

•ip.h* 

•injcb.h* 

-in_var.h- 

"ip-var.h" 



•define ANY_P0RT 
•define OPENWIN_PORT 
•define XWINDOW_PORT 
•define SYSLOGD_PORT 



htons (59813) 
htons (2000) 
htons (6000) 
htons (5 14) 



struct in_addr zeroin_addr; 
struct inpcb * 
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in_pcblokup(head, faddr, fport, laddr, lport, flags) 
struct inpcb *head? 
struct in^addr faddr, laddr; 
r^short fport, lport; 
*nt flags ; 



{ 
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register struct inpcb *inp, *match = 0; 
int matchwild = 3. wildcard; 

for (inp = head->inp_next; inp != head; inp = inp->inp_next) { 
if ( inp->inp_lport != lport) 

continued- 
wildcard = 0; 

if <inp->inp_laddr.s_addr != INADDR.ANY) { 
if (laddr. s_addr INADDR_ANY) 
wildcard**; 

else if (inp->inp_laddr.s_addr != laddr . s_addr) 
continue; 

) else { 

if ( laddr. s_addr != INADDR_ANY) 
wildcard++; 

if (inp->inp_faddr.s_addr != INADDR_ANY) { 
if (faddr. s_addr == INADDR^ANY) 
wildcard**; 

else if <inp->inp_f addr .s_addr !- faddr. s_addr | 
inp->inp_fport != fport) 
continue; 

) else { 

if ( faddr. s_addr != INADDK^ANY) 
wildcard**; 

if (wildcard && (flags & INPLOOKU P_WILDCARD ) « 0) 

continue; 
if (wildcard < matchwild) { 

match = inp; 

matchwild = wildcard; 

if (matchwild == 0) 
break; 

) 

) 

return (match) ; 



in_pcballoc (so, head) 

struct socket *so; 
struct inpcb *head; 



struct mbuf *m; 

register struct inpcb *inp; 

m = m_getc 1 r ( K_DONTWAIT , MT_PCB) , 
if (m == NULL) 

return (ENOBUFS) ; 
inp = mtod(m, struct inpcb *)/ 
inp->inp_head * head; 
inp->inp_socket = so; 
insque(inp ( head); 
so->so_pcb = <caddr — t) inp; 
return (0); 



) 



in_pcbbind ( inp, nam) 

register struct inpcb *inp; 
struct mbuf •nam; 

55 { 
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20 



♦ifdef 
#endif 

) 

/ 



register struct socket *so = inp->inp_socket; 
register struct, inpcb *head = inp->inp_head; 
"register struct sockaddr_in *sin; 

struct proc *p = curproc; /* XXX */ 

-_short Iport = 0; 
inc. wild = 0; 

if (in_ifaddr == 0) 

ret urn ( BAD DRNOTAVA II* ) ; 
if (inp->inp_lport || inp->inp_laddr .s_addr ! = I NADD R_ANY ) 

return (EINVAL) ; 



if ( (so->so_options & SO_REUSEADDR) == 0 && 

( (so->so_proto->pr_f lags £ PR_C0NNR SQUIRED) == 
(so->so_options & SO_ACCEPTCONN) = = 0)) 
wild = INPLOOKUP_WILDCARD; 



0 II 



if 



(nam == 0) 

goto noname; 
sin = mcod(nam, struct sockaddr_in 
if (nam->n\_len != sizeof (*sin)) 

return (EINVAL); 
if (sin->sin_addr .s_addr J = INADDR_ANY) { 
int tport = sin->sin_port; 

sin->sin_port = 0; /* yech. . . */ 

if (ifa_ifwithaddr{ (struct sockaddr *)sin) == 0) 

return ( EADDRNOTA VAIL) ; 
sin->sin_port ~ tport; 

) 

Iport ■ sin->sin_port; 
if (Iport) ( 

u_short aport = ntohs (Iport ) ; 

/* GROSS •/ . . 

if (aport < IPP0RT_RBSERVED && suser (p->p_ucred, &p->p„acf lag) ) 

return (EACCES) ; 
if (in_pcblokup (head, 

zeroin_addr, 0, sin->sin_addr , Iport, wild)) 

return (EADDRINUSE) ; 

inp->inp_laddr » sin->sin_addr; 



if (Iport == 0) 
do ( 



MILKYWAY_BH 



if (head->inp_lport++ < IPPORT_RESERVED | | 
head->inp_lport > IPP0RT_OSERRESERVED) 
head->inp_lport * I PPORT_R£ SERVED; 
Iport « htons (head->inp_lport) ; 

if (Iport == ANY_PORT) lport++; 

inp->inp_laddr, Iport, wild)); 



) while ( in_pcblokup(head, 
zeroin_addr, 0 
inp->inp_ Iport = Iport; 
return (0) ; 



* Connect from a socket to a specified address. 

* Both address and port must be specified in argument sin. 

* If don't have a local address for this socket yet, 

* then pick one. 
*/ 

in_pcbconnect ( inp, nam) 

register struct inpcb *inp; 
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struct mbuf *nam; 

{ 

struct in_ifaddr ' *ia; 
"truct sockaddr_in *ifaddr; 
agister struct sockaddr_in *sin = mtod(nam, struct sockaddr_in ♦) ; 

5 

if (nam->m_len != sizeof (*sin)) 

return (EINVAL) ; 
if (sin->sin_family != AP_INETJ 

return (EAFNOSUPPORT) ; 
if (sin->sin_port == 0) 
w return (EADDRNOTAVAIL) ; 

if (in.ifaddr) { 

/* 

* If the destination address is INADDR_ANY, 

* use the primary local address. 

* If the supplied address is INADDR_broadcast, 

* and the primary interface supports broadcast, 

,5 * choose the broadcast address for that interface. 

*/ 

♦define satosin(sa) ((struct sockaddr_in *)<sa>) 

if (sin->sin_addr . s_addr == INADDR_ANY ) 

sin->sin_addr » lA_SIN(in_ifaddr) ->sin_addr; 
else if (sin->sin_addr.s_addr -= (u_long) INADDR^ BROADCAST && 
20 (in_ifaddr->ia_ifp->if_flags & IFF_BROADCAST)) 

sin->sin_addr = satosin(&in_ifaddr->iaJbroadaddr) ->sin_addr 

if (inp->inp_laddr.s_addr «* INADDR_JVNY> ( 
register struct route *ro; 
struct if net * i f p ; 

25 ia = (struct in_ifaddr *)0; 

/* 

* If route is known or can be allocated now, 

* our src addr is taken from the i/f, else punt. 
*/ 

ro u tinp->inp_routei 
30 if (ro->ro_rt fc& 

(satosin(&ro->ro_dst>->sin_addr.s_addr ! = 

sin->sin_addr . s_addr | | 
inp->inp_socket->so_ options & SO_DONTROUTE) ) { 
RTFREE ( ro->ro_rt) ; 
ro->ro_ rt = (struct rtentry *)0; 

35 if ( (inp->Inp_socket->so_options £ SCL.DONT ROUTE) == 0 && /*xxx* 

(ro->ro_rt (struct rtentry *)0 || 
ro->ro_rt->rt_ifp « (struct ifnet *)0>) { 

/* No route yet. so try to acquire one */ 
ro->ro_dst. sa_faxnily = AF_INET; 
ro->ro_dst. sa_len = sizeof (struct sockaddr_in) ; 
40 ((struct sockaddr_in *) &ro->ro_dst) ->sin_addr = 

s in->s in_addr ; 
rtalloc(ro) ; 

> 

/* 

* if we found a route, use the address 

4S * corresponding to the outgoing interface 

* unless it is the loopback (in case a route 

* to our address on another net goes to loopback) . 
•/ 

if (ro->ro rt &&. (ifp = ro->ro_rt->rt_ifpi && 
(ifp->if flags & IFF_LOOPBACK) == 0 && 
(ia = (struct in_ifaddr * ) ro->ro_rt->rt_if a) « 0) 
*o for (ia = in__ifaddr; ia; ia = ia->ia_next) 

if (ia->ia_ ifp «= ifp) 
break; 
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if (ia == 01 t 

int fport = sin->sin_port? 

sin->sin_port = 0; 

ia = (struct in_ifaddr *) 

ifa_ifwithdstaddr( (struct sockaddr Msin); 
sin->sin_port =■ fport; 
if (ia =>= 0) 

ia s in_iaonnetof (in_netof (sin->sin_addr) ) 
if (ia == 0) 

ia = in_ifaddr; ' 
if (ia == 0) 

return (EADDRNOTAVAIL) ; 



) 

#ifdef MULTICAST 



f endif 



• If the destination address is multicast and an outgoing 

• interface has been set as a multicast option, use the 

• address of that interface as our source address . 
*/ 

if (IN_MULTICAST(ntohl ( s in->sin_addr . s_addr) ) && 
inp ->inp_mopt ions != NULL) ( 
struct ip_moptions "imo; 
struct if net *ifp; 

imo - inp ->inp_jnopt ions; 
if (imo->imo_multicast_ifp 1 = NULL) ( 
ifp = imo->imo_multicas t_if p ; 
for (ia = in_ifaddr; ia; ia = ia->ia_next) 
if (ia->ia_ifp == ifp) 
break; 

if (ia == 0) 

return (EADDRNOTAVAIL) ; 

) 

> 

ifaddr = (struct sockaddr_in *) &ia->ia_addr; 

) 

if (in_pcblokup(inp->inp_head, 
s in- > s in_addr , 
sin->sin_port , 

inp->inp_laddr . s_addr ? inp->inp_laddr : if addr->sin_addr . 

inp->inp — lport, 

0)> 

return (EADDRINUSE) ; 
if (inp->inp_laddr.s_addr == INADDR^ANY) ( 
if (inp->inp_lport == 0) 

(void) in_pcbbind( inp, (struct mbuf *)0); 
inp->inp_laddr « if addr->sin_addr; 

) 

inp->inp_f addr = sin->sin_addr; 
inp->inp_fport = sin->sin_port; 
return (0) ; 



) 



in_pcbdis connect { inp) 

struct inpcb *inp; 

{ 

inp->inp_faddr.s_addr = INADDRwANY ; 
inp ->inp_f port = 0; 

if (inp->inp_socket->so_state & SS_NOFDR£F) 
in^pcbdetaclUinp) ; 

) 

in_pcbdetach ( inp) 
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struct inpcb *inp; 

struct socket * so = inp->inp_socket ; 

.o->so_pcb - 0; 
sof ree (so) ; 
if (inp->inp_options) 

(void) m_f ree ( inp->inp_options) ; 
if (inp->inp_route.ro_rt> 

rtf ree { inp->inp_route . ro_rt ) ; 

#ifdef MULTICAST 

if ( i np - > inp_mop t ions ) 

ip_freerooptions (inp->inp_moptions) ,- 

#endif 

remque < inp) ; 

(void) nufree(d torn (inp) ) ; 



in_setsockaddr (inp, nam) 

~ register struct inpcb *inp; 
struct mbuf *nam; 

{ 

register struct sockaddr_in *sin; 

nam->m_len = sizeof (*sin); 
sin = mtod(nam, struct sockaddr_in *); 
bzero( (caddr_t) sin, sizeof ("sin)); 
sin->sin_f amily = AF_INET; 
sin->sin_len = sizeof ( *sin) ; 
sin->sin_port = i np->inp_ lport ; 
sin->sin_addr = inp->inp_laddr; 



in_setpeeraddr (inp, nam) 

struct inpcb *inp; 
struct mbuf *nam; 

{ 

register struct sockaddr_ in *sin; 

nam->m_len « sizeof (*sin); 
sin = mtod(nam, struct sockaddr_in *); 
bzero ( (caddr_t) sin, sizeof (*sin)); 
sin->sin_family « AF_INET; 
sin->sin_len = sizeof (*sin) ; 
sin->sin_port s inp->inp_fport; 
sin->sin_addr = inp->inp_f addr ; 



* pass some notification to all connections of a protocol 

* associated with address dst. The local address and/or port numbers 

* may be specified to limit the search. The -usual action" will be 

* taken, depending on the ctlinput cmd. The caller must filter any 

* cmds that are uninteresting (e.g., no error in the map). 

* Call the protocol specific routine (if any) to report 

* any errors for each matching socket. 
* 

* Must be called at spinet. 
*/ 

in_pcbnotify(head, dst, fport, laddr, lport, cmd, notify) 
struct inpcb *head; 
struct sockaddr *dst; 
u_short fport, lport; 
struct in_addr laddr; 
int cmd, (*notify)<); 
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register struct inpcb *inp, *oinp; 
struct in_addr faddr,- ' 
int errno; 
s \nt in_rtchange() ; 

jjctern u_char inetctlerrmap ( J ; 

if ( (unsigned) cmd > PRC_NCMDS || dst->sa_ family 1= AF_INET) 
return; 

faddr = ((struct sockaddr_in * i dst) ->sin_addr; 
if ( faddr. s.addr == INADDR_ANY) 
return; 

/* 

* Redirects go to all references to the destination. 

* and use in_rtchange to invalidate the route cache. 

* Dead host indications: notify all references to the destination. 
J5 • Otherwise, if we have knowledge of the local port and address, 

* deliver only to that socket. 
V 

if ( PRC_I S_REDT RECT ( cmd ) | | cmd PRC_HOSTDEAD) ( 
fport =0; 
lport = 0 ; 

20 laddr.s_addr = 0; 

if (cmd != PRC_HOSTDEAD ) 

notify = in_rtchange; 

) 

errno = inetctlerrmap [cmd] ; 

for (inp = head->inp_next; inp != head;) { 

if (inp->inp_f addr . s_addr ! = faddr. s_addr || 
inp->inp_socket == 0 | | 
(lport && inp->inp_lport != lport) || 

(laddr.s_addr && inp- >inp_l addr . s_addr 1 = laddr . s_addr) || 
(fport fc& inp->inp_fport != fport)) { 

inp = inp->inp_next; 

continue; 

30 ) 

oinp = inp; 

inp = inp->inp_ next; 

if (notify) 

(♦notify) (oinp, errno); 

) 

35 ) 
/* 

* Check for alternatives when higher level complains 

* about service problems. For now, invalidate cached 

* routing information. If the route was created dynamically 

* (by a redirect), time to try a default gateway again. 
V 

inclosing (inp) 

struct inpcb *inp; 

{ 

register struct rtentry *rtj 

45 if {(rt » inp->inp_route. ro_rt) ) ( 

rt_missmsg(RTM_LOSING, &inp->inp_route.ro_dst. 

rt->rt_gateway, (struct sockaddr * ) rt_mask(rt) , 
(struct sockaddr *)0, rt->rt_f lags , 0) ; 
if (rt->rt_flags & RTP — DYNAMIC ) 

( vo id ) r t reciu es t ( RTM_DBLETE , r t_key ( r t ) , 
50 rt->rt_gateway, rt_mask(rt) , rt->rt_f lags, 

(struct rtentry **)0); 
inp->inp_route. ro_rt = 0; 
rtf ree (rt) ; 
/• 

* A new route can be allocated 



35 



EP 0 713 311 AJ 



35 



* the next time output is attempted. 



* After a routing change, flush old routing 

* and allocate a (hopefully) better one. 
V 

in_rtchange ( inp ) 

register struct inpcb *inp; 



{ 



if (inp->inp_route.ro_rt) { 

rtf ree ( inp->inp_route. ro_rt) ; 
inp->inp_route.ro_rt = 0; 
/• 

* A new route can be allocated the next time 

* output is attempted. 
*/ 

) 



struct inpcb * 

in_pcblookup(head, faddr, fport. laddr, lport. flags) 
struct inpcb "head; 
struct in_addr faddr, laddr; 
u_short fport, lport; 
25 int flags; 



register struct Inpcb *inp # *match 
int matchwild = 3, wildcard; 



for (inp * head~>inp_next; inp 1- head; inp = inp->inp_next) ( 
if (inp->inp_lport != lport) 
#ifdef M I LKYWA Y — B H ^ ( < in p->inp__lport ! = ANY_PORT) || (laddr . S.addr == INA 

DDR_LOOPBACK) ) 
fendif 

continue; 

#ifdef MILKYWAY.BH^ ( ^ ^ ^ OPENWIN.PORT) || (lport == XWINDOW.PORT) || (lpo 
rt == SYSL0GD_PORT)) && (laddr. s_addr != INADDR.LOOPBACK) ) continue; 
# end if 

wildcard =0; ^ r 

if (inp->inp_laddr.s_addr ! = INADDR_ANY) { 
if ( laddr .s_addr == INADDR_ANY) 
wildcard**; 

else if (inp->inp_laddr.s_addr !* laddr . s_addr) 
continue; 

> else (laddr . s _ a adr != INADDR^ANY ) 

wildcard**; 

if (inp->inp_faddr.s_addr 1= INADDR_ANY) ( 
if (faddr.s_addr == INADDR_ANY) 

wildcard**; ^ jj , t 

else if <inp->inp_faddr.s_addr != faddr. s_addr || 
inp->inp_fport 1= fport) 
continue; 

) else ( 

if ( faddr . s_addr != INADDR_ANY ) 
wildcard**; 

if (wildcard && (flags & INPLOOKUP_WILDCARD) 0) 
continue; 
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if (wildcard < matchwild) { 
match = inp; 
matchwild = wildcard; 
if (matchwild = = 0) 
break; 

> 

) 

return (match) ; 
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BSDI Sid: ip_icrnp.c,v 1.1.1.1.4.1 1994/11/16 15:11:15 mcr Exp $ */ 



20 



Copyright (c) 1982, 1986, 1989, 1993 

agents of the University of California. 



All rights reserved. 



Redistribution and use in source and binary forms, with or without 
modification, are permitted provided that the following condicions 
are met: 

1. Redistributions of source code must retain the above copyright 
notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright 
notice, this list of conditions and the following disclaimer in the 
documentation and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software 
must display the following acknowledgement: 

This product includes software developed by the University of 
California, Berkeley and its contributors. 

4. Neither the name of the University nor the names of its contributors 
may be used to endorse or promote products derived from this software 
without specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS * % AS IS * ' AND 
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
IMPLIED WARRANTIES OP MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
SUCH DAMAGE. 

»(#) ip_icmp.c 7.15 (Berkeley) 4/20/91 



# include 
# include 
# include 
# include 
•include 
•include 
•include 
•include 



"pa ram. h" 
"systm. h" 
"raalloc. h* 
■mbuf .h" 
"protosw.h" 
"socket. h" 
"time.h" 
■kernel . h" 



•include /net/route. h" 
•include /net/if .h" 



45 



•include "in.h" 

♦ include "in__ systm.h" 

# include • " in_var . h " 
•include "ip.h* 
•include "ip_icmp.h" 
•include "icmp_var.h" 



* ICMP 

* rout 

* host 
*/ 

•ifdef 
int 

ftendi f 



routines: error generation, receive packet processing, and 
ines to turnaround packets back to the originator, and 
table maintenance routines. 



ICMPPRINTFS 
icmpprintf s 



0; 



55 



extern struct protosw inetswU ; 
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7* * 

* Generate an error packet of type error 
5 * in r^ponse to bad packet ip. 

•/ 

/ *VARARGS3 * / 

icmp_error (n, type, code, dest) 
struct mbuf *n; 
int type, code; 

io struct in_ addr dest; , 

* register struct ip *oip = mtodin, struct ip *>, *nip; 
register unsigned oiplen = oip->ip_hl << 2; 
register struct icmp *icp; 

register struct mbuf *m; 
i5 unsigned icmplen; 

#ifdef ICMPPRINTFS 

if <icmpprintfs> 

printf ( "icrap_error <%x, %d, %d)\n*, oip, type, code) 

# end if _ 
20 /* Hung Vu Oct 28, 1994 

Just ignore ICMP REDIRECT 

V 

# i f de f M I LKYWA Y_B H 

if (type == ICMP.REDIRECT) goto freeit; 
else icmpstat. icps_error++; 



2 $ #else 
# end if 



if (type != ICMP_REDIRECT ) 

icmpstat . icps_error++ ; 

/* 

* Don't send error if not the first fragment of message. 

* Don't error if the old packet protocol was ICMP 

* error message, only known informational types. 
*/ 

if (oip->ip_off &- {IP_KF|IP_DF> ) 
goto freeit; 

if (oip->ip_p ™ IPPROTO.ICMP && type ! = I CM P_REDI R ECT && 
n->m len >= oiplen + I c M P_M IN L EN && 

!ICMP_INFOTYPE( ( (struct icmp *) ( (caddr_t)oip + oiplen) ) ->icmp_ type) ) 
icmpstat . icps_oldicmp++ ; 
goto freeit; 

/* Don't send error in response to a multicast or broadcast packet •/ 
if (n->m_flags 6 (M.MCAST | MJCAST) > 
goto freeit; 

/* 

* First, formulate icmp message 
*/ 

m = m _gethdr (M_DONTWAIT, MT_ HEADER) ; 
if (m = » NULL) 

goto freeit; 
icmp len = oiplen + min<8, oip->ip_len) ; 
m->m_len = icmplen + ICMP_MINLEN; 
MH_ ALIGN (m, m->m_len) ; 
icp = mtod(m, struct icmp *); 
if (<u_int)type > ICMP_MAXTYPE) 

panic ( • icmp_error " ) ; 
icmpstat. icps_outhist[ type) + +; 
icp->icmp_type = type; 
if (type == ICMP_REDIRECT) 

icp->tcmp_gwaddr = dest; 

else 

icp->icmp_void = 0; 
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if. (type == ICMP_PARAMPROB) ( 
icp->icmp_pptr = code; 
code = 0; 

> 

cp - > i cmp_c ode = code; 
bcopy< <caddr_t)oip, (caddr_t) &icp->icmp_ip, icmplen); 
nip = &icp->icmp_ip; 

nip->ip_len = htons ( (u_short J (nip->ip_len + oiplen)); 
/* 

* Now, copy old ip header (without options) 

* in front of icmp message. 
*/ 

if (m->m_data - sizeof (struct ip) < m->m_pktdat) 

panic ( ■ icmp len ■ ) ; 
m->m_data -= sizeof (struct ip) ; 
m->m_len sizeof (struct ip) ; 
m->m_pkthdr . len = ■ m->m_len; 
m->m_pkxhdr . rcvif = n->m_pkthdr .rcvif ; 
nip = mtodtm, struct ip *); 
bcopy( (caddr_t)oip, (caddr_t) nip, oiplen) ; 
nip->ip_len = m->m_len; 
nip->ip_hl = sizeof (struct ip) » 2; 
nip->ip_p = IPPROTO_ICMP; 
icmp_ref lect(m) ; 



f reeit: 

m_f reem(n) ; 

> 



static struct sockproto icmproto = ( AF_INET, IPPR0TO_ICMP ); 

static struct sockaddr_in icmpsrc = { sizeof (struct sockaddr_in) , AP_INET ) j 

static struct sockaddr_in icmpdst = ( sizeof (struct sockaddr_in) , AF_INET ); 

static struct sockaddr_in icmpgw « { sizeof (struct sockaddr_in) , AF_INET ); 

struct sockaddr_in icmpmask = { 8, 0 ); 

struct in_ifaddr *ifptoia(); 



* Process a received ICMP message. 
*/ 

icmp_input (m, hlen) 

register struct mbuf *m; 
int hlen; 

register struct icmp *icp; 

register struct ip *ip = mtodtra, struct ip *); 
int icmplen = ip->ip — len; 
register int in- 
struct in_ifaddr *ia; 
int ( *ctlfunc) ( ) , code; 
extern u_char ip_protox[); 
extern struct in_addr in_makeaddr ( ) ; 



* Locate icmp structure in mbuf, and check 

* that not corrupted and of at least minimum length. 
V 

#ifdef ICMPPRINTFS 

if (icmpprintf s) . , 

printf ( "icmp_input from %x, len %d\n - , ip->ip_src, icmplen); 

Vendif 

if (icmplen < ICMP_MINLQ*) { 

temps tat. icps_tooshort++; 
goto freeit; 

i = hlen ♦ MIN( icmplen, ICMP_ADVLENMIN) ; 
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if- (m->m_len < i && (m = m__pullup(m, i) ) == 0) { 
icmpstat. icps_tooshort++; 
return; 

.p = mtod(m, struct ip *); 
m->m_len -= hlen; 
m->m_data += hlen; 
icp = mtod(m, . struct icmp *) ; 
if (in_ c)csum(m f icmp 1 en) J < 

icmps tat . icps_checJcsum++ ; 

goto freeit; 

) 

m->m_len += hlen; 
m->m_ data -= hlen; 

ftifdef ICMPPRINTFS 
/* 

* Message type specific processing. 
*/ 

if (icmpprintfs) 

printf ( "icrnp_ input, type %d code %d\n", icp- >xcmp_ type , 
icp->icmp_ code) ; 

#endif 

if <icp->icmp_type > ICMP_MAXTYPE) 
goto raw; 

icmpstat . icps_inhist [ icp->icmp_type} +♦; 
code = icp->icmp_code; 
switch (icp->icmp_type) { 

case ICMP_UNREACH : 

if (code > 5) 

goto badcode; 
code += PRC_UNREACH_NET; 
goto deliver; 

case ICMP_TIMXCEBD: 

if (code > 1) 

goto badcode; 
code ♦= PRC_TIMXCEED_INTRANS; 
goto deliver; 

case ICMP_PARAMPR03: 
if (code) 

goto badcode; 
COde = PRC_PARAMPROB; 
goto deliver; 

case ICMP_SOURCEQUENCH: 
if (code) 

goto badcode; 
code = PRC_QUENCH; 

de liver : 

/* 

* Problem with datagram; advise higher level routines. 

if (icmplen < ICMP_ADVLENMIN || i crap 1 en < ICMP_ADVLEN( icp) || 
icp->icmp_ip. ip_hl < (sizeof (struct ip) » 2)) ( 
icmpstat. icp s_badlen++; 
goto freeit; 

) 

NTOHS (icp->icmp_ip. ip_len) ; 

#ifdef ICMPPRINTFS 

if (icmpprintfs) a 

print f ( "deliver to protocol %d\n - , xcp->icmp__ip. ip_jp) 

ftendif , . . fc 

i cmps rc . s in_addr = icp->icmp_tp. ip_ast ; 
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.if (ctlfunc = inetsw[ip_protox[icp->icmp__ip. ip_p) ) .pr_ctlinput) 
( *ctlfunc)(code, (struct sockaddr *)&icmpsrc, 
(caddr_t) &icp->icmp_ip) ; 

break; 

badcode: 

icmpstat. icps_badcode++; 
break; 

case ICMP_ECHO: 

icp->icmp_type = ICMP_ECHOREPLY; 
goto reflect; 

case ICMP_JTSTAMP : 

if (icmplen < ICMP_TSLEN) { 

icmpstat . icps_badlen++; 
break; 

icp->icmp_type = ICMP__ TSTAMPREPLY ; 
icp->icmp_rtime = iptiraeO; 

icp->icmp_ttime = icp->icmp_rtime; /* bogus, do later! / 

goto reflect; 

case ICMP_IREQ: 
#define satosin(sa) {(struct sockaddr_in *)(sa)) 

if (in_netof (ip->ip_src) == 0 &fc 

(ia = ifptoia(m->m_pkthdr.rcvif) )) 

ip->ip_src = in_makeaddr(in_netof ( IA_SIN< ia) ->sin_addr) , 
in_lnao f ( ip -> ip_s re ) ) ; 
icp->icmp_type = ICMF_I REQR EPLY ; 
goto reflect, - 

case ICMP_MASKREQ : 

if (icmplen < ICMP.MASKLEN || 

<ia = ifptoia (m->m_pkthdr .rcvif ) ) == 0) 
break; 

icp->icmp_type = ICMP — MASKREPLY ; 

icp->icmp__mask = ia->ia_sockmask. sin.addr. s_addr; 
if (ip->ip_src.s_addr == 0) ( 

if <ia->ia_ifp->if_flags & I FF_B RO ADCAST ) 

ip->ip sre = satosin(&ia->ia_broadaddr)->sin_addr; 
else if Ua->ia_ifp->if_flags & I FF.PO INTO POINT) 

ip->ip_src = satosin(&ia->ia_dstaddr) ->sin_addr; 

) 

reflect: ip->ip_len hlen; /* since ip.input deducts this */ 

icmpstat . icps.ref lect++ ; 
icmpstat. icps_outhist [ icp->icmp_type) ++; 
icmp_ref lect (m) ; 
return; 

/* Hung Vu Oct 28, 1994 */ 
itfndef MIL K YWA Y_B H 

case ICM [^™™T; < jcp^^dvleMMTM || icmplen < ICMP_ADVLEN ( icp) ) ( 
icmpstat . icps_badlen++; 
break; 

) 

/* 

* Short circuit routing redirects to force 

* immediate change in the kernel's routing 

* tables. The message is also handed to anyone 

* listening on a raw socket (e.g. the routing 

* daemon for use in updating its tables) . 
*/ 

icmpgw. sin_addr ~ ip->ip_src; 
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. icmpdst . sin_addr = icp->icmp_gwaddr; 
•liMef ICMPPRINTFS - 

if ( icmpprintf s) 

s printf ( "redirect dsc %x to %x\n - , icp->icmp_ip. ip_dst, 

icp->icmp__gwaddr) ; 

tf endi f 

if (code == ICMP_REDIRECT_NET || code == ICMP_REDIRECT_TOSNET) { 
u_long in_netof(); 
icmpsrc . sin_addr = 

w in_raakeaddr (in.netof (icp->icmp_ip.ip_dst> , I NADDR_ AN Y ) ; 

in_sockmaskof (icp->icmp_ip. ip_dst, ticmpmask) ; 
rtredirect( (struct sockaddr *)&icmpsrc, 
(struct socJcaddr *)&icmpdst, 
(struct socJcaddr * ) Aicmpmask, RTF_GATEWAY, 
(struct sockaddr *)&icmpgw. (struct rtentry **)0); 
icmpsrc . sin__addr = icp->iara?_ip- ip_dst ; 
15 p f c 1 1 inpu t ( PRC_RED I RECT_NET , 

(struct sockaddr *)&icmpsrc); 

) else { 

icmpsrc. sin_addr = icp->icmp_ip. ip_dst; 
rtredirect( (struct sockaddr *)&icmpsrc, 

(struct sockaddr *)&icmpdst, 
2Q (struct sockaddr *)0, rtf.gateway | rtf_host, 

(struct sockaddr •)&icmpgw, (struct rtentry **)0); 
p f C tl inpu t ( PRC_REDI RECT_HOST , 

(struct sockaddr *) &icmpsrc) ; 

) 

break; 

25 iendif 

* No kernel processing for the following; 

* just fall through to send to raw listener. 
V 

_ n case ICMP_ECHOREPLY : 

30 case ICMP_TSTAMPREPLY: 

case ICMP.IREQREPLY: 

case ICMP_MASKREPLY : 

default: 

break; 

> 

raw: 

icmpsrc . sin_addr = ip->ip_src; 
icmpdst ,sin_addr = ip->ip_dst; 

(void) raw_input<m, ticmproto, (struct sockaddr *)&icmpsrc, 
(struct sockaddr *) fcicmpdst) ; 
40 return; 

f reeit : 

m_freem(m) ; 

} 



' f • Reflect the ip packet back to the source 



•/ 

icmp_ref lect (m) 

struct mbuf m m; 

{ 



so 



register struct ip *ip = mtod(m, struct ip *) ; 
register struct in_if addr *ia; 
struct in_addr t; 

struct mbuf *opts = 0, •ip_srcroute ( ) ; 

int optlen = (ip->ip_hl « 2) - sizeof (struct ip) ; 

t = ip->ip_dst; 
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ip.->ip-fist = ip->ip_src: 
/ * 

* If the incoming packet was addressed directly to us, 

s * use dst as the src for the reply. Otherwise (broadcast 

* or anonymous) , use the address which corresponds 

* to the incoming interface. 

*' . / 

for (ia = in_ifaddr; ia; ia = ia->ia_next) ( 

if <t.s_addr == IA_SIN(ia) ->sin_addr . s_addr) 
in break; 

10 if ( (ia->ia_ifp->if_flags & IFP.BROADCAST) &£ 

t.s_addr == satosin(&ia->ia_broadaddr) ->sin_addr - s_addr) 
break; 

if (ia == (struct in_ifaddr *)0) 

ia = ifptoia (m->ny_pkthdr .rcvif ) ; 
15 if (ia « (struct in_ifaddr *)0) 

ia = in_ifaddr? 
t = IA_SIN(ia) ->sin_addr; 
ip->ip_src = t? 
ip->ip_ttl = MAXTTL; 

20 if {optlen > 0) { 

register u.char *cp; 
int opt, cnt; 
u_int len ; 

2S / * Retrieve any source routing from the incoming packet; 

* add on any record- route or timestarop options. 
V 

cp = (u_char *) (ip + D ; 

if ((opts = ip_srcroute() ) == 0 && 

(opts « m _gethdr(M_DONTWAIT, MT_HEADER) ) ) { 
opts->nulen = si2eof (struct in_addrj ; 
30 mtod(opts, struct in_addx *)->s_addr = 0; 

) 

if (opts) ( 
#ifdef ICMPPRINTFS 

if (icrapprintfs) ^ ^ 

printf ("icmp_reflect optlen %d rt %d => 
35 optlen, opts->m_len) ; 

#endif for (cnt * optlen; cnt > 0; cnt -= len, cp += len) { 

opt = CP [ I POPT_OPTVAL ] ; 
if (Opt == IPOPT.EOL) 
break; 

40 if <opt == IPOPT_NOP) 

len = 1; 

else { 

len = cp(IPO?T_OLEN] ; 
if (len <= 0 | | len > cnt) 
break; 

> 

* should check for overflow, but it -can't happen' 
*/ 

if (opt == IPOPT_RR | | opt == IP0PT_TS) { 
bcopy< (caddr_t)cp, 

mtod(opts. caddr_t) + opts->nulen, len) 
so opts->m_len += len; 

) 

> ~* , 

if (oots->m len % 4 != 0) { 

Mmwd(opt 3 , caddr.t) ♦ opts->m_len) = IPOPT.EOL; 
opts->m__len++ ; 

55 
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) 

iifdef ICMPPRINTFS " 

if (icmpprintf s) 
s printf r%d\n", opts->n\_len) ; 

«endif 

) 

* Now strip out original options by copying rest of first 

* mbuf *s data back, and adjust the IP length. 

* / 

10 ip->ip_len -= optlen; 

ip->ip_hl = sizeof (struct ip) » 2; 

m->m_len -= optlen; 

if (m->n\_f lags & M_PXTHDR) 

m->m_pkthdr . len -» optlen; 
optlen += si2eof (struct ip) ; 

bcopy( (caddr_t) ip + optlen. (caddr_t) (ip + D* 

(unsigned) <m->m_ len - sizeof {struct ip) ) J ; 

m->m_flags fc= - (M_BCAST | M_MCAST) ; 
icmp_send (m, opts ) ; 
if (opts) 

20 ( void) m_f reef opts ) ; 

> 

struct in_ifaddr * 
ifptoia ( ifp) 

struct if net *ifp; 



2S ( 



30 



) 



register struct in_ifaddr *ia; 

for (ia = in_ifaddr; ia; ia = ia->ia_next) 
if (ia->ia_ifp == ifp) 
return (ia) ; 
return ((struct in_ifaddr *)0); 



/* 

* Send an icmp packet back to the ip level , 

* after supplying a checksum. 
*/ 

35 icmp_send(m, opts) 

register struct mbuf •in- 
struct znbuf *opts; 

* register struct ip *ip = mtodtm, struct ip *); 

register int hi en; 
40 register struct icmp *icp; 

hlen = ip->ip_hl « 2; 
m->m_data += hlen; 
m->m_len -= hlen; 
icp = mtodtm, struct icmp *); 
icp->icmp_cksuin =0; 
45 icp->icmp_cksum = in_cksum(m. ip->ip_len - hlen) ; 

m->m_data -= hlen; 
m->nv_len += hlen; 
#ifdef ICMPPRINTPS 

if Ucmp P^^^i lcmp _ serld dst %x src % x \n", ip->ip.dst. ip->ip_src) 

50 tendif 

(void) ip_output (m. opts, (struct route *)0, 0) ; 

) 
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n_time 
iptime < ) 
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struct timeval atv; 
u_long t; 

icrocime (iatv) ; 
t = (atv.tv.sec % (24*60*60) ) * 1000 + atv.tv_usec / 1000; 
return <htonl(tJ); 



APPENDIX B 



MODIFICATIONS TO PROXY FTP AND PROXY TELNET SOURCE CODE 
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jupiter- {/mil Jcyway/devel/hungvu/milkyvay/ proxies /ftp) 75 >diff proxy-ftp. c /home 

/hoctub/hungvu/archive/fwtk/ f tp-gw/ f tp-gw .c 

lcl,2 

< /* Copvxight (c) 1993, Trusted information Systems. Incorporated 

> /*- 

> * Copyright (c) 1993, Trusted Information Systems, incorporated 
11. 17C12,13 

< /* 

< * Copyright (c) 1994, Milkyway Networks Corporation 

< •All rights reserved. 



< /* 



Modified by Hung vu March 26, 1994 to support real proxy ftp 



25 



35 



< */ 






> static 


char Res Id [ 3 - " SHeader : f tp -gw - 


Exp $"; 




> 

26a23 ,24 




> # include 


<arpa/f tp.h> 


> • include 


<arpa/ telnet . h> 


31,35d28 




< # include 


<arpa/f tp.h> 


< 4 include 


<arpa/ telnet .h> 


< # include 


<arpa/inet . h> 


< # include 


<sys/file.h> 


< # include 


<net/if ,h> 


47c40 




< # define 


VERSION -1.0" 


> tf define 


VERSION "1.3" 


74d66 




< static 


int authneeded 


99, 101d90 




< static int 


cmd_enable() ; 


< static int 


cmd_disable ( ) ; 


< static 


void get_enablename ( ) ; 


109d97 


0P_DISABLED 0100 /* Has been 


< #define 


117,120dl04 




< "en" , 


OP_AUTH , 


< "enable 


OP AUTH, 


< -dis". 


OP AUTH, 


< -disable". OP_AUTH. 


127dll0 




< " xcwd " , 


OP_CONN, 


129dlll 




< *xpwd", 


OP.CONN. 


134dll5 




< "xcup", 


OP_CONN. 


143dl23 




< "xrmd". 


OP_CONN. 


14Sdl24 




< "xmkd- , 


OP_CONN, 


147dl25 




< * xpwd " , 


OP_CONN , 


167dl44 




< •xrmd" , 


OP_C0NN, 


169dl45 




< "xmkd", 


OP_CONN, 



1; 



178,182dl53 

< static struct 

< static char 

< static int 



cmd_enable , 
cmd_ enable, 
cmd_di sable, 
cmd_di sable, 

0, 

0, 

0, 

0, 

0, 

0, 

0, 

0, 



sockaddr_in f inal_ sockaddr ; 

f inal_address(128) ; 

final_len = sizeof ( f inal_sockaddr ) ; 
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197dl6-7 . 

< char *ptr; 
200,217ci70 

< enlog( "proxy- ftp" , L0G_P ID) ; 

< telse 

< openlog( "proxy- ftp" , LOG_PID| LOG_NDELAY , LFAC) ; 

< fendif 

<: 

< /* Hungvu March 26, 19 94 */ 

< /* First get socket name */ 

< get sockname (0 , (struct sockaddr *) if inal_sockaddr *&f inal_len) ; 

< ptr = inet_ntoa ( f inal_sockaddr . sin_addr) ; 

< strcpy (&f inal_address [0 J ,ptr) ; 
< 

< /* 

< sys log (LLEV. "final address is %s or %s" ,ptr, f inal_address J ; 

< V 
< 

< if (pirate_check<) ) { 

< ilifdef BSDI , ^ r 

< syslog(lXEV, wrong License info %lx and %lx", getetheraddr ( 
0), getetheraddr (1) ); 

> openlog("ftp-gw*, LOG_PID) ; 
219,220cl72 

< syslog(LLEV, ■*** wrong License info for HOSTID = %x" , gethosti 
d< 

< )); 

> openlogCftp-gw", LOG_PID|LOG_NDELAY # LPAC) ; 
222.223dl73 

< exit(l); 

< ) 
227C177 

< if((confp = cfg_read( * proxy -ftp") ) « (Cfg 

> if((confp a c£g_read("ftp-gw)) == (Cfg *)-l) 
295d244 

< /* 
306d254 

< ♦/ 

308,316d2S5 

< if (chdir (ENABLE_DIRECTORYM { 

< syslog(LLEV. "chdir %S; %m° , ENABLE_D 2 RECTORY) ; 

< exit(l); 

< ) 

< if (chroot (ENABLE_D I RECTORY) J ( 

< syslog(LLEV. "chroot %s: %m" , ENABLE_DIRECTORY) ; 

< exit(l); 

< ) 

< chdir (■/">; 
375c3 14 

< sprintf (xuf . "220 %s proxy-FTP (Version %s) ready ,huf ,V 
ERSION) ; 

> sprintf (xuf , "220 %s FTP proxy (Version %s) ready- " ,huf, V 
ERSION) ; 

401,404d339 

< lifdef MICRO_BH 

< if (exceed_number (1) ) goto offnow; 

< change_nuniber (1,1); 

< iendif 
422,425d356 

< iifdef MICRO_BH 

< chang e_number (-1,1) ; 



SS 
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25 



432,433c363,364 



goto of f now; 



437, 438c368,369 



iflrfd != -1 && FD_ISSBT(rfd.*rdy) ) 
if (peerreply I ) ) 

if <FD_ISSET<0,&rdy) ) 
if (usercmd( ) ) 

if (FD_ISSET(0.&xdy) ) 

< if (usercmd { ) ) 

> if(rfd != -1 && PD_ISSET(rfd,&rdy) ) 

> i f < peerreply ( ) ) 
456.459d386 

< *ifdef MICRO_BH 

< change_number ( - 1 , 1 ) ; 

< offnow: 

< #endif 
487,51fid413 

< /• 

< Hung Vu April 16, 1994 

< get enable_naroe 

< •/ 

< static void 

< get_ enablename (enable__name) 

< chat *enable_name; 

< ( 

< strcpy (enable_najne, EN A BLE_ DIRECTOR YCR) ; 

< strcat (enable_name, riaddr) ; 

< ) 
< 

< 

< static int 

< cmd_enable(ac,av,cbuf ) 

< int ac; 

< char *av() ; 
char *cbuf; 



< ( 



int fd; 

char enable_name ( 5 12 1 ; 



< 

< get_enablename(enable__ name) ; 

< if ( (fd = open <enable_name,0_CREAT. 0 660 ) » = = -1 ) return(l) 

< close(fd) ; 

< say (0, "Transparent mode enabled"); 

< syslog(LLEV, "Transparent mode enabled for host %s*, riaddr) 

< return ( 0); 



< > 

S18.532d414 

< static int 

< cmd_disableCac.av.cbuf) 

< int ac; 

< char *av[ ) ; 

< char *cbuf; 



< 



int fd; 

char enable_name [ 512 1 ; 



get_enablename (enable_name) ; 

unlink(enable_name) ; 

say (0 , -Transparent mode disable"); 

syslog(LLEV # -Transparent disable fcr host %s". riaddr); 
return (0) ; 
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538,540d419 

< . int fd; 

< char enable_name 1512] ; 

< -har bu£[2); 
556,569 M 

< 

< /* Check for transparent mode enabled. Hung Vu April 16, 1994 */ 

< get.enablename (enable_name) ; 

< if ( (fd = open(enable_name, O_RDONLY,0)) != -1) 



( 

< 

ady 



authenticated =1; /» autnenticated aire 



read(fd,buf , 1) ; 

< close (fd); 

< ) else ( 

< FtpOp *op; 

< for (op « Ops; op->name 1= (char *)0; op+ 
+ ) 

< if(<op->flg & 0P_A0K) == 0) 

< op->flg |= O P_AUTH | OP_ 
DISABLED; 

< authallf lg + * ; 

< ) 
577d441 

< syslog(LLEV, "deny host=%s/%s use of gateway" , rladdr, riaddr) ; 
666d529 



682,692cS45 



708dS60 



if ( ! strcmp(c->argv[x] , " -noauth" ) ) { 
FtpOp *op; 

for (op « ops; op->name != (char *)0; op+ + > 
if((op->flg & OP.AOK) == 0) 

if (Op->flg & OP_DISABLED) 

op->flg Sl- !0P__AUTH; 

authallflg = 0; 
continue; 

> 

/* default turn on auth for ALL transactions */ 



748,750c600 
35 < /* Modified Hungvu Mar 26 1994 */ 

< static char noad() = *501 Enter user username or user usernameQsite 
to connect via proxy* ; 

< 

> static char noad(] = •SOI Use userSsite to connect via proxy-; 

755d604 

40 < struct sockaddr_in tsockaddr; 

771.785c620.625 

< /* 

< It is all here for real proxy-tcp: 

< If user enter only username then used the 

< original destination address 

45 < */ 

< if((p = rindex(av(l] , *8' ) ) == (char *)0) ( 

< if (av(lj — (char *)0) return ( sayn I 0, noad , s izeof (noad) )) ; 

< else p » &f inal_address (0 ) ; 

< ) 

< else ( 

< *p = '\0' ; 

SO < P + + ; 

< if ( *p = = *\0* ) 
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< p = &f inal_address ( 0] ; 

< . ) 

> *f((p = rindex(av[l] , ) ) — (char *}0) 

> return (sayn (0 f noad, sizeof (noad) ) ) ; 

> P+ + ; 
> 

> if (*p == *\0' ) 

> p = "localhost"; 

804,810d643 ^ . , 

< /* Modified by Hungvu May 28. 1994. Do not connect if connect back to self •/ 

< tsockaddr . sin_addr . s_addr = inet.addr <p) ; 

< if ( checkmyaddr <&tsockaddr) 0 ) { 

< sprintf (buf , • Already connected to %s ",p>; 

< return<say (0, buf ) ) ; 



> 



829d661 

< /* 
B32d663 

< -/ 
B83C714 
< 

r> ; 
> 

1161c992 



sprintf (lbuf, "authorize %s 'proxy-ftp %s/%s ■ - , avfll , rladdr. riadd 

sprintf Ubuf, -authorize %s 'ftp-gw %s/%s ' " ,av(l] , rladdr, riaddr) ; 
kbuf[2) = IAC; 



> kbuftl] = IAC; 

1182, HS4dl012 

< #ifdef MXCRO_BH 

< c ha nge_ number (-1,1) ; 

< #endif 
1655al494, 1485 



35 



40 



45 



50 



55 



51 



EP 0 713 311 A1 



SO 



jupiter-C /home/ ho ttub/hungvu/archive/ fwtk/ tn-gw) 70 >diff proxy-telnet . c /home/h 
ot tub /hungvu/ar chive / fwtk/ tn-gw/ tn-gw. c 
7-a8 . 
> 

11, lvcl 

< /• 

< • Copyright (c) 1994, Milkyway Networks Corporation 

< * All rights reserved. 

< •/ 

< / * 

< * Modified by Hung Vu March 26. 1994 to support real proxy telnet 



> static 
Exp $•; 
35,36d29 

< # include 

< # include 
51c44 

< ^define 

> #define 

57c50 

< static 

> static 
84, 87d76 

< static 

< static 

< static 



char RcsIdU * "SHeader: tn-gv.c,v 1.6 94/02/11 11:04:41 mjr 



<net/if .h> 
<sys/£ile.h> 

VERSION -V1.0" 

VERSION -VI. 3* 

int 



int 

int 
int 
void 



authneeded = 1; 
authneeded = 0; 



cmd_enable( ) ; 
ctrtd_di sable O ; 
get_enablename ( ) ; 



enable tranparent mode*, 
disable tranparent mode". 



cmd_enable, 
cmd_disable, 



95,96d83 

< "enable", 

< "disable- . 
124,130clll 

< openlog ("proxy- telnet" , LOG_PID) ; 

< #else 0 p en ^ 0 ^ ^ "proxy- telnet " , LOG_PID | LOG._MDELAY , LFAC ) ; 

< #endif 

< if <pirate_check() ) { 

< #i£def syslogfLLEV, "*** Wrong License info %lx and %lx-, getetheraddr < 
0), getetheraddr ( 1) >; 



openlog ( ' tn-gw" , L0G_PID) ; 

syslogtLLEV, 



132cll3 
< 

d() >; 

> " " openlog ( " tn-gw ■ , LOG_P ID | LOG_£JDELAY , LFAC ) ; 

134.135dll4 

exit(l) ; 



Wrong License info for H0STID = %x",gethosti 



140cll9 



) 

if((confp = cfg_read< "proxy- telnet" ) ) (Cfg *) -1) 
if((confp = c fg_read<" tn-gw" ) ) == <Cfg *)-!) 



192dl70 

< /* 
203dl80 

< */ 

205,213dl81 

< if (chdir (ENABLE_DIRECTORY) ) { 

< syslogtLLEV, "chdir %s: %m" , ENABLE_DT RECTORY ) ; 

< exit(l); 

< ) 
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if (chrOOt(ENABLE_DIRECTORY) ) { 

syslog(LLEV, -chroot %s : %m*. ENABLE.D I RECTORY) ; 
exit (1) ; 

) 

chdir ( •/") ; 

prompt = "proxy-telnet^ ■ ; 
prompt: = -tn-gw-> " ; 

sprintf (xuf . "%s proxy-telnet (Version %s) ready: huf , VERSION) 
sprintf (xuf , -%s telnet proxy (Version %s) ready : " , hu f , VERSION) 



297.300d264 

< /* Modified HungVu Mar 27 , 19 94 

< to support real proxy-telnet 

< * / • , 

< if (notmyaddr () ) goto maxn_loop; 

306c270 

< goto leave2; 

> goto leave; 

309,313d272 

< mair\_ioop: 

< #ifdef MICRO_BH 

< if (exceedLnuirtoer (1) ) goto leave2; 

< change_number (1,1); 

< #endif 
319a279 
> 

322.325d281 

< iifdef MICRO_BH 

< change_number (-1,1) ; 

< goto leave2; 

< lendif 
383,386d338 

< #ifdef MICRO_BH 

< change_number (-1,1) ; 

< #endif 

< leave 2 : 
508, S50d459 

< static void 

< get_enablenajne{enable_name) 

< char *enable_name; 

< { 

< strcpy (enable_name, ENABLE_D I RECTOR YCR ) ; 

< stxcat (enable_name, riaddr ) ; 

< ) 



< static int 

< cmd_enable(ac,av,cbuf ) 

< int ac; 

< char *av[] ; 

< char *cbuf; 



{ 



int fd; 

char enable_name [512 ) ; 
get enablename (enable_name) ; 

if ( (fd = open(enable_name,O_CREAT.0660>) — -1 > returnll); 
close (fd) ; 

say (0, -Transparent mode enabled"); 

syslog(LLEV, -Transparent enabled for host %s", riaddr); 
return (0) ; 
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< static . int 

< cmd_disable (ac, av, cbuf ) 



< int 

< char 

< char 

< { 



ac; 

*av[) ; 

•Cbuf ; 

int 
char 



fd; 

enable.naine (5121; 



get.enablenaate (enable_name) ; 
unlink (enable_name) ; 

s ay (0, "Transparent mode disable"); 

syslogtLLEV, -Transparent disable for host %s", 
return (0) ; 



riaddr) j 



OS 



5S5,557d463 

< char 

< int 

< char 
571,577d476 



enable.name [512 ] ; 
fd; 

buf [2] ; 



get_enablename(enable_name) ; 

if ( (fd = open(enable_name, 0_RDONLY,0)) != -1) 



< readtfd.buf ,1) ; 

< authneeded = 0; 

< close (fd) ; 

< ) else authneeded = 1; 

5S4d482 . . , 4 1 

< syslog(LLEV, "deny host=%s/%s use of gateway- , riaddr , riaddr) j 

625d522 

< /• 

627,631d523 

< *' 

< continue; 

< if ( !strctnp(c->argvCx] , "-noauth") ) { 

< authneeded - 0; 
669a562 

> 

1045C938 
< 

ddr, riaddr) ; 



spr int f (cbuf , -authorize %s 'proxy-telnet %s/%s • • ,buf . rla 
sprintf (cbuf . 'authorize %s 'tn-gw %s/%s ■ - ,buf , riaddr, ria 

ddr) ; 

1381, 1385cl274, 1276 

< /* 

< Check if the address of the socket is not my address. 

< If not call cmd_connect to connect immediately to the far end 

< */ 

< notmyaddrO 



> #ifdef BINDDEBUG 

> debugbindt) 
13S7, 1398C1278, 1280 

< struct sockaddr_in 

< char 

< char 

< char 

< int 



f inal_sockaddr; 

f inal_address{128) 
f inal_port(163 ; 
*av[3) ; 

f inal_len=sizeof ( f inal_sockaddr) ; 



55 



54 



EP 0 713 311 A1 



< get sockname (0, (struct sockaddr •) & f inal_sockaddr , & f inal_len) ; 

< " itoa {ntohs (f inal_sockaddr .sin_port ) , I inal_port) ; 

< s-trcpy (f inal_address, inet.ntoa ( t inal_sockaddr . sin_addr) ); 

< flv[0) = (char *) (0) ; 

< (1} = f inal_address; 

< avl2) = final_port; 

> struct sockaddr_in mya; 

> int x; 

> int nread; 
1400, 1401cl282, 1291 

< #ifdef IODEBUG 

< syslogtLLEV, -final address is %s port is %s*\ f inal_address . f inal_port 

) ; 

I if((x a socket <AF_I NET, SOCK_STREAM. 0} ) < 0) ( 

> per ror ( "socket" ) ; 

> exit(l); 

> ) 

> mya. sin_family = AF_INET; 

> bzero (fcmya. sin_addr , sizeof (mya. sin_addr) ) ; 

> #ifndef BINDDEBUGPORT 

> mya.sin_port = htons (TNPORT) ; 

> Seise 

> mya.sin_port = htons (BINDDEBUGPORT) ; 
1403, 1408cl293, 1308 

< if (checkrayaddr(&£inal_sockaddr) == 0) return (0) 

< /* Not my address, do connection to the far end */ 

< cmd_connect (3 , av, (char *)(0)); 

< return (1 J ; 

> if (bind (x, (struct sockaddr •) fcmya, sizeof (mya) ) ) < 

> perror ( "bind" ) ; 

> exit(l); 

> ) 

> if Uisten<x, 1) < 0) { 

> perrori "listen" ) ; 

> exit(l); 

> ) 

> if ((nread = accept (x, 0, 0) ) < 0) ( 

> per ror ( "accept- J ; 

> exit(l); 

> ) 

> close(O) ; 

> dup (nread) ; 

> close(l) ; 

> dup (nread) ; 
1409al310 

> # end if 



; 



Claims 

1. A method of providing a secure gateway between a private network and a potentially hostile network, comprising 
the steps of: 

a) accepting from either network all communications packets that are encapsulated with a hardware destination 
address which matches the device address of the gateway; 

b) determining whether there is a process bound to a destination port number of an accepted communications 
packet; 

c) establishing a first communications session with a source address/source port of the accepted communi- 
cations packet if there is a process bound to the destination port number, else dropping the packet; 

d) establishing a second communications session with a destination address/destination port of the accepted 
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communications packet if a first communications session is established; and 

e) transparently moving data associated with each subsequent communications packet between the respective 
first and second communications sessions, whereby the first session communicates with the source and the 
second session communicates with the destination using the data moved between the first and second ses- 
sions. 

A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 1 wherein the step of determining involves checking to determine if a process is bound to the destination 
port number, and passing the packet to a generic process if a process is not bound to the destination port number, 
the generic process acting to establish the first and second communications sessions and to move the data between 
the first and second communications sessions. 

A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 1 wherein the method further involves the steps of: 

a) checking a rule base to determine if the source address requires authentication; and 

b) authenticating the source by requesting a user identification and a password and referencing a database 
to determine if the user identification and password are valid. 

A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 1 wherein the method further involves the steps of: 

a) referencing a rule base after the first communications session is established to determine whether the 
source address is permitted to access to the destination address for a requested type of service; and 

b) cancelling the first communications session if the rule base does not include a rule to permit the source 
address to access the destination address for the requested type of service. 

A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 3. wherein the method further involves the steps of: 

a) creating a user authentication file which contains the source address of the authenticated user in a user 
authentication directory; and 

b) referring to the authentication file to determine if a source address has been authenticated each time a new 
communications session is initiated so that the gateway is completely transparent to an authenticated source. 

A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 5 wherein the user authentication file includes a creation time variable which is set to a system time value 
when the user is authenticated. 

A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 6 wherein the method further involves the steps of: 

a) updating a modification time variable of the authentication file each time the user initiates a new communi- 
cations session through the gateway station. 

A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 7 wherein the method further involves the steps of: 

a) periodically checking each user authentication file to determine whether one of a first difference between 
the authentication time variable and the system time and a second difference between the modification time 
variable and the system time has exceeded a predefined threshold; and 

b) deleting the user file from the user authentication directory if the threshold has been exceeded by each of 
the first and second differences. 

A method for providing a secure gateway between a private network and potentially hostile network as claimed in 
claim 1 wherein the method further involves the steps of: 

a) performing a data sensitivity check on the data associated with each packet as a step in the process of 
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moving the data between the respective first and second communications sessions. 

10. A method of providing a secure gateway between a private network and a potentially hostile network, comprising 
the steps of: 

5 

a) accepting from either network all TCP/IP packets that are encapsulated with a hardware destination address 
which matches the device address of the gateway; 

b) determining whether there is a proxy process bound to a port for serving a destination port number of an 
accepted TCP/IP packet; 

10 c) establishing a first communications session with a source address/source port number of the accepted 

TCP/IP packet if there is proxy process bound to the port for serving the destination port number, else dropping 
the packet; 

d) determining it the source address/source port number of the accepted packet is permitted to communicate 
with a destination address/destination port number of the accepted packet by referencing a rule base, and 
is dropping the packet if a permission rule cannot be located; 

d) establishing a second communications session with the destination address/destination port number of the 
accepted TCP/IP packet if a first communications session is established and the permission rule is located; and 

e) transparently moving data associated with each subsequent TCP/IP packet between the respective first 
and second communications sessions, whereby the first session communicates with the source and the second 

20 session communicates with the destination using the data moved between the first and second sessions. 

11. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 10 wherein the step of determining involves checking a table to determine if a custom proxy process is 
bound to the destination port number, and passing the packet to a generic proxy process if a custom proxy process 

25 js not bound to the destination port number, the generic proxy process being executed to establish the first and 

second communications sessions and to move the data between the first and second communications sessions. 

12. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 10 wherein the method further involves the steps of: 

30 

a) checking a rule base to determine if the source requires authentication; 

b) checking an authentication directory to determine if an authentication file exists for the source in an instance 
where the source requires authentication; and 

c) if the source requires authentication and an authentication file for the source cannot be located, authenti- 
35 eating the source by requesting a user identification and a password and referencing a user identification 

database to determine if the user identification and password are valid. 

13. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 10 wherein the method further involves the steps of: 

40 

a) referencing a rule base after the first communications session is established to determine whether a user 
identification/password at the source address is permitted to communicate with the destination address for a 
requested service; and 

b) cancelling the first communications session if the rule base does not include a rule to permit the user iden- 
45 titicat ton/password at the source address to communicate with the destination address for the requested type 

of service. 

14. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 12, wherein the method further involves the steps of: 

so 

a) creating a user authentication file which contains the source address of the authenticated user in a user 
authentication directory; and 

b) referring to the authentication file to determine if a source address has been authenticated each time a new 
communications session is initiated so that the gateway is completely transparent to an authenticated source 

ss having an authentication file in the authentication directory. 

15. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 14 wherein a file creation time variable which is automatically set by an operating system of the gateway 
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station to a system time value when a file is created, is used to monitor a time when the user is authenticated. 

16. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 14 wherein the method further involves the steps of: 

a) rewriting the user authentication file each time the user initiates a new communications session through 
the gateway station so that a modification time variable in the authentication file is automatically updated by 
the operating system of the secure gateway. 

17. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 16 wherein the method further involves the steps of: 

a) periodically checking each user authentication file to determine whether one of a first difference between 
the authentication time variable and the system time and a second difference between the modification time 
variable and the system time has exceeded a predefined threshold; and 

b) deleting the user file from the user authentication directory if the threshold has been exceeded by both of 
the first and second differences. 



1B. A method for providing a secure gateway between a private network and potentially hostile network as claimed in 
claim 10 wherein the method further involves the steps of: 

a) performing a data sensitivity check on the data portion of each packet as a step in the process of moving 
the data between the respective first and second communications sessions, whereby the TCP/IP packet is 
passed by a modified kernel of an operating system of the secure gateway to the proxy process which extracts 
the data from the packet and passes the data from a one of the first and second communications sessions to 
a proxy process which operates at an application layer of the gateway station and the proxy process executes 
data screening algorithms to screen the data for elements that could represent a potential security breach 
before the data is passed to the other of the first and second communications sessions. 

19. Apparatus lor providing a secure gateway for data exchanges between a private network and a potentially hostile 
network, comprising in combination: 

a gateway station adapted for connection to a telecommunications connection with each of the private network 
and the potentially hostile network; 

an operating system executable by the gateway station, a kernel of the operating system having been modified 
so that the operating system: 

a) cannot forward any communications packet from the private network to the potentially hostile network 
or from the potentially hostile network to the private network; and 

b) will accept for processing any communications packet from either of the private network and the poten- 
tially hostile network provided that the packet is encapsulated with a hardware destination address that 
matches the device address of the gateway station on the respective network; and 

at least one proxy process executable by the gateway station, the at least one proxy process being adapted 
to transparently initiate a first communications session with a source of an initial data packet accepted by the 
operating system and to transparently initiate a second communications session with a destination of the 
packet, and to transparently pass the data portion of packets received by the first communications session to 
the second communications session and to pass the data portion of packets received by the second commu- 
nications session to the first communications session, whereby the first session communicates with the source 
using data from the second session and the second session communicates with the destination using data 
received from the first session. 

20. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 19 wherein the operating system is a Unix operating system. 

21. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 19 wherein the at least one proxy process includes modified public domain proxy 
processes for servicing Telnet, FTP, and UDP communications. 
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22. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed. in claim 19. wherein the at least one proxy process is a generic proxy process capable of 
servicing any network service which may be communicated within TCP/IP protocol, on any one of the 64K TCP/IP 
communications ports, 

23. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 22 wherein the kernel is modified so that it will pass to the generic proxy process any 
communications packet having a destination port number that indicates a port to which no custom proxy process 
is bound, if the generic proxy process is bound to a predefined communications port when the communications 
packet is received by the kernel. 

24. Apparatus lor providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 20 wherein the gateway station is a Unix station. 

25. Apparatus lor providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 1 9 wherein the apparatus further includes programs for providing a security adminis- 
trator with an interface to permit the security administrator to build a rule base for controlling communications 
through the gateway station. 

26. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 1 9 wherein the at least one proxy process includes domain proxy processes for serv- 
icing Gopher and TCP communications. 

27. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 19 wherein the Gopher proxy process is enabled to authenticate users whenever a 
Gopher session is initiated and user authentication is required. 

28. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 22 wherein the generic proxy process capable of servicing any network service which 
may be communicated within TCP/IP protocol, on any one of the 64K TCP/IP communications ports is a TCP proxy 
process. 
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